Solutions

OpenDJ 3.x Java upgrade causes certificate exceptions with contol-panel/dsreplication/status commands

Last updated Sep 14, 2018

The purpose of this article is to provide assistance if you encounter certificate and "Unable to connect to the server" errors when running dsreplication commands after upgrading to Java® 1.7.0_191, 1.8.0_181 or later. A similar "An error occurred connecting to the server" is shown when running control-panel.


Symptoms

You will encounter connecting to server errors when using dsreplication or control-panel commands:

  • dsreplication commands: running any dsreplication commands where the hostname is not a FQDN, for example:
    $ ./dsreplication status --hostname host1 --port 4444 --adminUID admin --adminPassword password --trustAll --no-prompt
    
    Gives a response similar to one of the following:
    Unable to connect to the server at host1 on port 4444. Check this port is an administration port
    
    Error reading data from server host1:4444. There is an error with the certificate presented by the server.
    Details: simple bind failed: host1:4444
    
    Whereas running the same command using a FQDN as the hostname succeeds.
  • control-panel command: login will fail with the following error when running the control-panel command:
    An error occurred connecting to the server. Details:
    javax.naming.CommunicationException: 0.0.0.0:4444 [Root exception is javax.net.ssl.SSLHandshakeException:
    java.security.cert.CertificateException: No subject alternative names present]
    

SSL debug log

An error similar to the following is shown in the SSL debug log when this happens:

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, WRITE: TLSv1.2 Handshake, length = 947

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, READ: TLSv1.2 Alert, length = 2

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, RECV TLSv1.2 ALERT:  fatal, certificate_unknown

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

LDAP Request Handler 0 for connection handler Administration Connector 192.0.2.0 port 4444, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
Note

You can generate SSL debug logs as described in FAQ: SSL certificate management in DS/OpenDJ (Q. How do I debug a SSL handshake error?)

Recent Changes

Upgraded Java to version 1.7.0_191, 1.8.0_181 or later (including Oracle® JDK and OpenJDK).

Causes

Java 1.7.0_191 and 1.8.0_181 introduced changes to improve LDAP support by enabling endpoint identification algorithms by default for LDAPS connections.

For further information see:

 Java SE Development Kit 8, Update 181 (JDK 8u181) 

 Java SE Development Kit 7, Update 191 (JDK 7u191) 

Solution

This issue can be resolved using one of the following options:

  • Always use a FQDN for the hostname. This is a requirement for replication as stated in the Release Notes: Release Notes › FQDNs For Replication.
  • Set the new system property (com.sun.jndi.ldap.object.disableEndpointIdentification) to disable endpoint identification if appropriate for your environment. 
  • Downgrade your version of Java.

Setting the new system property

You can set this system property in OpenDJ as follows:

  1. Add the new system property to dsreplication.java-args in the java.properties file, for example:
    dsreplication.java-args=... -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
  2. Apply this change by running the bin/dsjavaproperties command:
    $ ./dsjavaproperties

See Also

How do I change DS/OpenDJ (All versions) to use a different JDK version?

How do I ensure DS/OpenDJ (All versions) uses the Java settings from java.properties file when DS/OpenDJ is started?

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-5336 (Dsreplication and control-panel connection fails with JVM 1.8.0_181)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...