IBM Support

WebSphere - Endpoint identification enabled on LDAPS connections

Troubleshooting


Problem

To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms are enabled by default.  There might be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so.

Symptom

While connecting to an LDAPS server, a "javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException" is observed.

One of these messages might also be observed with the error message:

  • "No subject alternative names present"
    • Indicates that the certificate does not have the SAN attribute populated
  • "No name matching ldap.example.com found"
    • Indicates that the SAN attribute does contain a value, but doesn't contain an entry for the hostname or IP address representing the LDAP server. 

Cause

LDAP is asking JSSE to validate the LDAP server's certificate to ensure it is compliant with hostname verification.  With this change, if the server's certificate is not compliant, the exception is thrown.  In previous releases, LDAP connections did not request JSSE to perform hostname verification and a non-compliant server certificate would not have shown this error.

Environment

WebSphere Application Server v7, v8, v855, v9, or Liberty running these IBM SDK versions (or later):

  • 8 SR 5 FP 20
  • 7.1 SR 4 FP 30
  • 7 SR 10 FP 30
  • 6.1 SR 8 FP 70
  • 6 SR 16 FP 70

Resolving The Problem

In order to resolve the issue either:

  • Regenerate the LDAP server certificate so that the certificate's subject alternate name or certificate's subject name matches the LDAP server.

OR

  • Disable endpoint identification by setting the system property com.sun.jndi.ldap.object.disableEndpointIdentification=true

[{"Type":"MASTER","Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"ARM Category":[{"code":"a8m50000000CdOoAAK","label":"Security-\u003ELiberty Profile"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSAW57","label":"WebSphere Application Server Network Deployment"},"ARM Category":[{"code":"a8m50000000CdJrAAK","label":"Security-\u003EUser Registry-\u003ELDAP"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
16 September 2021

UID

ibm10729913