When I upgraded java from 1.8.161 to 1.8.181, I am not able to connect to LDAP from my application, i get below exception when i try to login to application with a user that is active in LDAP.
javax.naming.CommunicationException: : [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]
I found the below release notes on the Oracle site for version 1.8.181
Changes
core-libs/javax.naming ➜ Improve LDAP support Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property:
com.sun.jndi.ldap.object.disableEndpointIdentification
.Define this system property (or set it to true) to disable endpoint identification algorithms.
I tried to set the property to true as below along with other properties. But still it throws same error.
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, ctxFactory);
env.put(Context.PROVIDER_URL, providerUrl);
env.put(Context.SECURITY_PRINCIPAL, secPrincipal);
env.put(Context.SECURITY_AUTHENTICATION, secAuthentication);
env.put(Context.SECURITY_CREDENTIALS, secCredentials);
env.put("com.sun.jndi.ldap.object.disableEndpointIdentification" ,disableEndpointIdentification);
DirContext ldapCtx = new InitialDirContext(env);
Need your help how and where exactly we need to set the property
com.sun.jndi.ldap.object.disableEndpointIdentification
to true.
There is no such constant String variable related to this in Context Interface too.
If I revert back to java 1.8.161 version it works fine.
doc tells about application system property and not about Ldap context environment
then it needs to be setup on application JVM (java command line) for the app as
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Add SAN for your IP Address to the certificate configured on your LDAP
e.g. for your certificate request config (request.inf)
[RequestAttributes]
SAN="ipaddress=10.233.207.65"
[Extensions]
2.5.29.17 = "{text}"
continue_ = "ipaddress=10.233.207.65"
and for the certificate generation something like
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectKeyIdentifier=hash
subjectAltName=@alt_names
[alt_names]
IP = 10.233.207.65
in the extfile configuration
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With