IBM Support

How to resolve the LDAP error "java.security.cert.CertificateException: No subject alternative DNS name matching ip address found"

Troubleshooting


Problem

After the upgrade to Java(TM) 8 Update 181, you may encounter the Lightweight Directory Access Protocol (LDAP) error javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ip address found.

This is because the endpoint identification algorithms have been enabled by default to improve the robustness of LDAPS (secure LDAP over Transport Layer Security (TLS) ) connections. There may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so.

Symptom

While connecting to a LDAPS server, the error:

 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ip address found.

is issued in situations where applications were previously able to successfully connect to an LDAPS server.

Cause

LDAP is asking Java Secure Socket Extension (JSSE) to validate the LDAP server's certificate to ensure it is compliant with hostname verification.  With this change, if the server's certificate is not compliant, the exception will be thrown.  In the past, LDAP did not request JSSE to perform hostname verification and a non-compliant server certificate would not have shown this error. 

Resolving The Problem

In order to resolve the issue either:

  • Regenerate the LDAP server certificate so that the certificate's subject alternate name or certificate's subject name matches the hostname of the LDAP server.

OR

  • Disable endpoint identification by setting the system property: 
    com.sun.jndi.ldap.object.disableEndpointIdentification=true

    In the UrbanCode Deploy server, you can specify additional system properties in the file:
    Unix/Linux:
    <UCD_server_Install>/set_env.sh
    or
    Windows:
    <UCD_server_Install>\set_env.cmd
    By adding the system property prefixed with -D at the end the property: JAVA_OPTS, as follows:
    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS4GSP","label":"IBM UrbanCode Deploy"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

UCD;UrbanCode Deploy

Document Information

Modified date:
20 August 2021

UID

ibm10793403