{"id":2761,"date":"2018-08-23T22:43:59","date_gmt":"2018-08-23T20:43:59","guid":{"rendered":"https:\/\/www.oradba.ch\/?p=2761"},"modified":"2018-08-27T06:34:19","modified_gmt":"2018-08-27T04:34:19","slug":"oracle-unified-directory-sslhandshakeexception-with-java-1-8-0_181","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2018\/08\/oracle-unified-directory-sslhandshakeexception-with-java-1-8-0_181\/","title":{"rendered":"Oracle Unified Directory SSLHandshakeException with Java 1.8.0_181"},"content":{"rendered":"

A couple of days ago I did update my Oracle Unified Directory Docker images<\/a> with the latest bundle patch for OUD as well the latest java version. With the new Docker images I was about to reproduce a use case from a customer. Everything actually worked at first glance, but after a while I did realise, that my OUD Docker remains in status “unhealthy”. It seems that my status script is not able to get a clear status of the OUD instance. In particular the command “status” does fail.<\/p>\n

\noracle@oud3:~\/ [oud_docker] status --trustall \\\n-D "cn=Directory Manager" -j $PWD_FILE\n\nError reading configuration. Details:\njavax.naming.CommunicationException: 0.0.0.0:4444 [Root exception is \njavax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: \nNo subject alternative names present]\n<\/pre>\n
I’ve tried to drill down the root cause of this issue, but haven’t been successfully. After a hint from a workmate, I took a look into the release notes of Java 1.8.0 update 181<\/a>. It looks like the latest java 1.8.0 update includes security improvements for LDAP support.<\/p>\n
\nChanges
\ncore-libs\/javax.naming
\n\u279c Improve LDAP support
\nEndpoint identification has been enabled on LDAPS connections.<\/p>\n
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.<\/p>\n
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.<\/p>\n
Define this system property (or set it to true) to disable endpoint identification algorithms. <\/p>\n
JDK-8200666 (not public)\n<\/p><\/blockquote>\n
My first intention was to adjust the java.properties<\/em> and disable endpoint identification just for status<\/code>. But I was not successful. As a workaround I’ve set the java arguments -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true<\/em> with the environment variable OPENDS_JAVA_ARGS. This seems to work as expected. <\/p>\n
\noracle@oud3:~\/ [oud_docker] export OPENDS_JAVA_ARGS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true\noracle@oud3:~\/ [oud_docker] status --trustall \\\n  -D "cn=Directory Manager" -j $PWD_FILE\n\n--- Server Status ---\nServer Run Status:        Started\nOpen Connections:         1\n\n--- Server Details ---\nHost Name:                oud3\nAdministrative Users:     cn=Directory Manager\nInstallation Path:        \/u00\/app\/oracle\/product\/fmw12.2.1.3.0\/oud\nInstance Path:            \/u01\/instances\/oud_docker\/OUD\nVersion:                  Oracle Unified Directory 12.2.1.3.180626\nJava Version:             1.8.0_181\nAdministration Connector: Port 4444 (LDAPS)\n\n--- Connection Handlers ---\nAddress:Port : Protocol               : State\n-------------:------------------------:---------\n--           : LDIF                   : Disabled\n0.0.0.0:161  : SNMP                   : Disabled\n0.0.0.0:1389 : LDAP (allows StartTLS) : Enabled\n0.0.0.0:1636 : LDAPS                  : Enabled\n0.0.0.0:1689 : JMX                    : Disabled\n\n--- Data Sources ---\nBase DN:     cn=OracleContext\nBackend ID:  OIDCompatibility\nEntries:     34\nReplication: Disabled\n\nBase DN:     cn=OracleContext,dc=example,dc=com\nBackend ID:  OracleContext0\nEntries:     17\nReplication: Disabled\n\nBase DN:     cn=OracleSchemaVersion\nBackend ID:  OIDCompatibility\nEntries:     3\nReplication: Disabled\n\nBase DN:     cn=virtual acis\nBackend ID:  virtualAcis\nEntries:     0\nReplication: Disabled\n\nBase DN:     dc=example,dc=com\nBackend ID:  userRoot\nEntries:     1\nReplication: Disabled\n<\/pre>\n
This workaround temporarily disable the endpoint identification, although the correct method would be to fix and use it. For now there is a MOS bug related to this issue. This enhance the chance that this will be fixed in a future release. Till then you can easily workaround setting the environment variable.<\/p>\n
A few links related to this short blog post:<\/p>\n