IBM Support

WebSphere - Endpoint identification enabled on LDAPS connections

Troubleshooting


Problem

To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.  There may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so.

Symptom

While connecting to a LDAPS server,

 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException

is issued in situations where applications were previously able to successfully connect to an LDAPS server.

 

Cause

LDAP is asking JSSE to validate the LDAP server's certificate to ensure it is compliant with hostname verification.  With this change, if the server's certificate is not compliant, the exception will be thrown.  In the past, LDAP did not request JSSE to perform hostname verification and a non-compliant server certificate would not have shown this error.

Environment

WebSphere v7, v8, v855, v9, Liberty running:

IBM Java:

  •  8 SR 5 FP 20
  • 7.1 SR 4 FP 30
  • 7 SR 10 FP 30
  • 6.1 SR 8 FP 70
  • 6 SR 16 Fp 70

 

 

Resolving The Problem

In order to resolve the issue either:

  • Regenerate the LDAP server certificate so that the certificate's subject alternate name or certificate's subject name matches the LDAP server.

OR

  • Disable endpoint identification by setting the system property com.sun.jndi.ldap.object.disableEndpointIdentification=true

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"SSHPST","label":"WebSphere"},"Component":"Java SDK","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z/OS"}],"Version":"All Versions","Edition":""}]

Document Information

Modified date:
30 August 2018

UID

ibm10729913