IBM Support

How do I fix this LDAP SSL error, “java.security.cert.CertificateException No subject alternative names present”, in Websphere Application Server?

Question & Answer


Question

How do I fix this LDAP SSL error, “java.security.cert.CertificateException No subject alternative names present”, in Websphere Application Server?

After upgrading WAS, I am unable to start the server. We are getting the following error in Systemout.log





com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.CommunicationException: myldap.austin.ibm.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present]' naming exception occurred during processing. at com.ibm.ws.wim.adapter.ldap.LdapConnection.getDirContext(LdapConnection.java:1880) at com.ibm.ws.wim.adapter.ldap.LdapConnection.search(LdapConnection.java:3136) at com.ibm.ws.wim.adapter.ldap.LdapConnection.checkSearchCache(LdapConnection.java:3104) at com.ibm.ws.wim.adapter.ldap.LdapConnection.search(LdapConnection.java:3294) at com.ibm.ws.wim.adapter.ldap.LdapConnection.searchEntities(LdapConnection.java:3515) at com.ibm.ws.wim.adapter.ldap.LdapAdapter.login(LdapAdapter.java:3133) at com.ibm.ws.wim.ProfileManager.loginImpl(ProfileManager.java:3859)

Cause

As stated in the Oracle release notes:

https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html

Endpoint identification has been enabled on LDAPS connections.  To improve the robustness of  the LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default. Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification. Define this system property (or set it to true) to disable endpoint identification algorithms.

This javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException connecting to an LDAP server is not a Java Security issue. With this LDAP update, LDAP is asking JSSE to validate the LDAP server's certificate to ensure it is compliant with hostname verification. With this change, if the server's certificate is not compliant, then the exception will be thrown. In the past, the LDAP did not request JSSE to perform hostname verification and a non-compliant server certificate would not have caused an issue.

JVMs impacted:

Java 6 SR16 FP 70

Java 626 SR8 FP 70

Java 7.0 SR10 FP 30

Java 727 SR4 FP 30

Java 8 SR5 FP 20

Answer

In order to resolve the issue either:

Solution:

  1. Regenerate the LDAP server certificate so that the certificate's subject alternate name or certificate's subject name matches the LDAP server.
  2. WorkAround:Disable endpoint identification by setting the system property com.sun.jndi.ldap.object.disableEndpointIdentification = true
 

The result is an SSLHandshake error because of a mismatch in certificates. There is a flag (com.sun.jndi.ldap.object.disableEndpointIdentification) to revert the behavior, but it makes for a less secure connection which is a not recommend solution. IBM recommends that you fix the certificate on LDAP server side.

Workaround Steps as given below

Application Server

1. In the Administration Console select Servers

2. Expand Server Type and select WebSphere application servers

3. Click on the name of your server

4. Expand Java and Process Management and select Process Definition.

5. Under the Additional Properties section, click Java Virtual Machine.

6. Scroll down and locate the textbox for Generic JVM arguments.

7. -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true Click on Apply Save the Changes and Restart the WAS

Nodeagent

1. In the Administration Console, select System Administration

2. Select Node agents

3. Choose which nodeagent to edit

4. In the Server Infrastructure section, expand Java and Process Management and select Process Definition.

5. Under the Additional Properties section, click Java Virtual Machine.

6. Scroll down and locate the textbox for Generic JVM arguments.

7.  -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true Click on Apply Save the Changes and Restart the WAS

Deployment Manager

1. In the Administration Console, select System Administration

2. Select Deployment manager

3. In the Server Infrastructure section, expand Java and Process Management and select Process Definition.

4. Under the Additional Properties section, click Java Virtual Machine.

5. Scroll down and locate the textbox for Generic JVM arguments.

6.  -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true Click on Apply Save the Changes and Restart the WAS

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

WAS

Document Information

Modified date:
25 October 2019

UID

ibm11098783

Page Feedback