OpenDJ 3.x Java upgrade causes certificate exceptions with contol-panel/dsreplication/status commands

Symptoms

You will encounter connecting to server errors when using dsreplication or control-panel commands:

• dsreplication commands: running any dsreplication commands where the hostname is not a FQDN, for example:

  $ ./dsreplication status --hostname host1 --port 4444 --adminUID admin --adminPassword password --trustAll --no-prompt
  

  Gives a response similar to one of the following:

  Unable to connect to the server at host1 on port 4444. Check this port is an administration port
  
  Error reading data from server host1:4444. There is an error with the certificate presented by the server.
  Details: simple bind failed: host1:4444

  Whereas running the same command using a FQDN as the hostname succeeds.
• control-panel command: login will fail with the following error when running the control-panel command:

  An error occurred connecting to the server. Details:
  javax.naming.CommunicationException: 0.0.0.0:4444 [Root exception is javax.net.ssl.SSLHandshakeException:
  java.security.cert.CertificateException: No subject alternative names present]

SSL debug log

An error similar to the following is shown in the SSL debug log when this happens:

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, WRITE: TLSv1.2 Handshake, length = 947

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, READ: TLSv1.2 Alert, length = 2

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, RECV TLSv1.2 ALERT:  fatal, certificate_unknown

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Recent Changes

Upgraded Java to version 1.7.0_191, 1.8.0_181 or later (including Oracle® JDK and OpenJDK).

Causes

Java 1.7.0_191 and 1.8.0_181 introduced changes to improve LDAP support by enabling endpoint identification algorithms by default for LDAPS connections.

For further information see:

 Java SE Development Kit 8, Update 181 (JDK 8u181) 

 Java SE Development Kit 7, Update 191 (JDK 7u191) 

Solution

This issue can be resolved using one of the following options:

• Always use a FQDN for the hostname. This is a requirement for replication as stated in the Release Notes: Release Notes › FQDNs For Replication.
• Set the new system property (com.sun.jndi.ldap.object.disableEndpointIdentification) to disable endpoint identification if appropriate for your environment. 
• Downgrade your version of Java.

Setting the new system property

You can set this system property in OpenDJ as follows:

1. Add the new system property to dsreplication.java-args in the java.properties file, for example:

   dsreplication.java-args=... -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

2. Apply this change by running the bin/dsjavaproperties command:

   $ ./dsjavaproperties

See Also

How do I change DS/OpenDJ (All versions) to use a different JDK version?

How do I ensure DS/OpenDJ (All versions) uses the Java settings from java.properties file when starting?

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-5336 (Dsreplication and control-panel connection fails with JVM 1.8.0_181)