Upgrade to JDK 1.8.0_181 version may throw CertificateException for LDAP / SSL
Article ID: KB0079905
Updated On:
| Products | Versions |
|---|---|
| TIBCO Managed File Transfer Command Center | All |
Description
Upgrade to JDK 1.8.0_181 version may throw "javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching" when configuring an MFT Authenticator to use LDAP over SSL and the DNS name does not match the Certificate DN.
Oracle JDK 1.8.0_181 added endpoint validation to make sure that the LDAP DNS name matches the Certificate CN or the Certificate Subject Alternative DNS Name.
Check java release notes:
http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
Changes
core-libs/javax.naming
Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.
Define this system property (or set it to true) to disable endpoint identification algorithms.
Oracle JDK 1.8.0_181 added endpoint validation to make sure that the LDAP DNS name matches the Certificate CN or the Certificate Subject Alternative DNS Name.
Check java release notes:
http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
Changes
core-libs/javax.naming
Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.
Define this system property (or set it to true) to disable endpoint identification algorithms.
Issue/Introduction
Upgrade to JDK 1.8.0_181 version may throw "javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching"
Environment
All supported environments
Resolution
Add the following parameter to JAVA_OPTS in the setenv.sh or setenv.bat in the <MFTIS/CC>/server/bin directory:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Once this is done, restart the respective MFT service.
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Once this is done, restart the respective MFT service.
Additional Information
http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
Feedback
Yes
No
Powered by
