Solutions

LDAP connection fails with No subject alternative DNS name matching error in AM 5.1.x, 6.x and DS 5.5.1, 5.5.2, 6.x

Last updated Nov 27, 2018

The purpose of this article is to provide assistance if your LDAP/LDAPS connection fails with a "java.security.cert.CertificateException: No subject alternative DNS name matching" error. This issue can affect AM and DS.


1 reader recommends this article

Symptoms

The "No subject alternative DNS name matching" error can be seen in various AM debug logs with different contexts, for example:

  • Configuration debug log:
    ERROR: SMSEntry: Unable to initalize(exception):
    SMSException Exception Code:5
    Message:Unexpected LDAP exception occurred.
    --------------------------------------------------
    The lower level exception message
    Connect Error: No operational connection factories available
    The lower level exception:
    Connect Error: No operational connection factories available
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:206)
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:144)
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:113)
    ...
    Caused by: Connect Error: The LDAP connection has failed because an error occurred during the SSL handshake: java.security.cert.CertificateException: No subject alternative DNS name matching host1.example.com found.
    ...
    Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
       at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
       at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
       at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
       at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
       at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
    ...
    Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching host1.example.com found.
    
  • IdRepo debug log:
    ERROR: An error occurred while trying to initiate persistent search connection
    Connect Error: No operational connection factories available
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:206)
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:144)
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:113)
    ...
    Caused by: Connect Error: The LDAP connection has failed because an error occurred during the SSL handshake: java.security.cert.CertificateException: No subject alternative DNS name matching host1.example.com found
    ...
    Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
       at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
       at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
       at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
       at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
       at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
    ...
    Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching host1.example.com found.
    
    
  • OpenDJ-SDK debug log:
    WARNING: Connection factory 'CachedConnectionPool(size=0[in:0 + out:0 + pending:0], maxSize=10, blocked=0, ldapClient=org.forgerock.opendj.ldap.LdapClientImpl@57c4d233)' is no longer operational: Connect Error: The LDAP connection has failed because an error occurred during the SSL handshake: java.security.cert.CertificateException: No subject alternative DNS name matching host1.example.com found.
    

Amster

You may also see a similar error when trying to install AM using Amster:

"stderr": "SLF4J: Failed to load class \"org.slf4j.impl.StaticLoggerBinder\".\nSLF4J: Defaulting to no-operation (NOP) logger implementation\nSLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.\nFailed to execute the 'install-openam' command: java.security.cert.CertificateException: No subject alternative DNS name matching host1.example.com found.",

Upgrade

You may encounter this error during an AM upgrade as well; in which case, you will also see an error similar to the following in the web application container log (for example, catalina.out for Apache Tomcat™):

org.forgerock.openam.upgrade.UpgradeException: Unable to parse product versions for comparison. Current: null war: ForgeRock Access Management 6.0.0 Build 3676519ec1 (2018-May-08 10:07)
Note

If you see the "Unable to parse product versions for comparison" error without the "No subject alternative DNS name matching" error, you should refer to AM/OpenAM (All versions) upgrade fails when com.iplanet.am.version is empty or corrupted for further information on resolving this known upgrade issue.

Recent Changes

There are various changes that could cause this issue, including (but not limited to):

  • Upgraded to, or installed AM 5.1.x; or AM 6 or later.
  • Upgraded to, or installed DS 5.5.1 or later.
  • Upgraded Java® to 1.7.0_191 or later; or 1.8.0_181 or later (including Oracle® JDK and OpenJDK).
  • Created a new data store (configuration, identity or CTS) or changed the DNS name of an existing one.
  • Changed server certificates.
  • Enabled SSL (changed the connection from LDAP to LDAPS).

Causes

Changes introduced in recent AM and DS versions (AM 5.1.x; AM 6 or later; DS 5.5.1 or later) have made LDAP SSL hostname validation stricter. AM checks the hostname in the LDAP server certificate correctly matches the hostname used to connect to the secured directory server (for example, DS or Active Directory®) and DS checks that the server it is trying to connect to has a certificate that matches the hostname.

These changes affect any secured LDAP/LDAPS connections:

  • AM connecting to a configuration store, identity store, CTS store etc.
  • Connections from LDAP command line tools such as ldapsearch.
  • Connections from admin tools such as dsconfig and dsreplication.
  • Connections to DS using the external REST2LDAP interface or DSML gateway; this includes IDM connecting to an external DS repository as that uses the REST2LDAP interface.
  • DS connecting to other LDAP servers when configured for pass-through authentication.

Java

Java 1.7.0_191 and 1.8.0_181 introduced changes to improve LDAP support by enabling endpoint identification algorithms by default for LDAPS connections; this also results in stricter hostname validation. For further information see:

Solution

This issue can be resolved by ensuring the hostname you are connecting to the LDAP server with matches the hostnames specified in the server certificate via the SAN (Subject Alternative Name). The SAN allows you to specify multiple hostnames and takes precedence over the Subject/CN entry in the certificate; you should list all the DNS hostnames that you expect to connect to the LDAP server in the SAN. See Administration Guide › Setting Up Server Certificates for further information.

Put simply, this means the hostname in the error (for example, host1.example.com) should be added to the SAN in the LDAP server certificate. The server certificate is located in the JVM truststore used by AM, which is $JAVA_HOME/jre/lib/security/cacerts by default. In the AM configuration, you should also check that the hostname specified for the LDAP connection is correct (and matches what is in the certificate's SAN).

Alternatives

The following options can be used to switch off stricter hostname validation; however this would make your deployment less secure and as such is not recommended: 

  • You can switch off hostname checks in DS by setting the org.forgerock.opendj.hostNameVerificationDisabled environment variable to true. See Javadoc › SSL_HOST_NAME_VALIDATION_DISABLED_PROPERTY for further information. 
  • You can switch off hostname validation in Java by setting the com.sun.jndi.ldap.object.disableEndpointIdentification JVM option to true. 

See Also

How do I configure LDAPS clients in DS/OpenDJ (All versions)?

How do I make AM/OpenAM (All versions) communicate with a secured LDAP server?

How do I import a certificate into the truststore used by AM/OpenAM (All versions) for SSL?

FAQ: SSL certificate management in AM/OpenAM and Policy Agents

FAQ: SSL certificate management in DS/OpenDJ

Best practice for upgrading to AM 6.x

SSL in DS/OpenDJ

SSL in AM/OpenAM and Policy Agents

Upgrade Guide

Related Training

N/A

Related Issue Tracker IDs

OPENAM-13984 (Upgrade/Install Document need for stricter Hostname Matching for LDAP certificates)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...