OpenDJ 3.x Java upgrade causes certificate exceptions with contol-panel/dsreplication/status commands
The purpose of this article is to provide assistance if you encounter certificate and "Unable to connect to the server" errors when running dsreplication commands after upgrading to Java® 1.7.0_191, 1.8.0_181 or later. A similar "An error occurred connecting to the server" is shown when running control-panel.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
You will encounter connecting to server errors when using dsreplication or control-panel commands:
- dsreplication commands: running any dsreplication commands where the hostname is not a FQDN, for example: $ ./dsreplication status --hostname host1 --port 4444 --adminUID admin --adminPassword password --trustAll --no-prompt Gives a response similar to one of the following: Unable to connect to the server at host1 on port 4444. Check this port is an administration port Error reading data from server host1:4444. There is an error with the certificate presented by the server. Details: simple bind failed: host1:4444 Whereas running the same command using a FQDN as the hostname succeeds.
- control-panel command: login will fail with the following error when running the control-panel command: An error occurred connecting to the server. Details: javax.naming.CommunicationException: 0.0.0.0:4444 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present]
SSL debug log
An error similar to the following is shown in the SSL debug log when this happens:
LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, WRITE: TLSv1.2 Handshake, length = 947 LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, READ: TLSv1.2 Alert, length = 2 LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, RECV TLSv1.2 ALERT: fatal, certificate_unknown LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknownNote
You can generate SSL debug logs as described in FAQ: SSL certificate management in DS 6.x (Q. How do I debug a SSL handshake error?)
Recent Changes
Upgraded Java to version 1.7.0_191, 1.8.0_181 or later (including Oracle® JDK and OpenJDK).
Causes
Java 1.7.0_191 and 1.8.0_181 introduced changes to improve LDAP support by enabling endpoint identification algorithms by default for LDAPS connections.
For further information see:
Java SE Development Kit 8, Update 181 (JDK 8u181)
Java SE Development Kit 7, Update 191 (JDK 7u191)
Solution
This issue can be resolved using one of the following options:
- Always use a FQDN for the hostname. This is a requirement for replication as stated in the Release Notes: Release Notes › FQDNs For Replication.
- Set the new system property (com.sun.jndi.ldap.object.disableEndpointIdentification) to disable endpoint identification if appropriate for your environment.
- Downgrade your version of Java.
Setting the new system property
You can set this system property in OpenDJ as follows:
- Add the new system property to dsreplication.java-args in the java.properties file, for example: dsreplication.java-args=... -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
- Apply this change by running the bin/dsjavaproperties command: $ ./dsjavaproperties
See Also
How do I change DS (All versions) to use a different JDK version?
How do I ensure DS (All versions) uses the Java settings from java.properties file when starting?
Related Training
N/A
Related Issue Tracker IDs
OPENDJ-5336 (Dsreplication and control-panel connection fails with JVM 1.8.0_181)