LDAP Collectors report 'No subject alternative names matching IP address n.n.n.n found' in RSA Identity Governance & Lifecycle
4 years ago
Originally Published: 2018-09-10
Article Number
000041286
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.x
 
Issue
After upgrading to Oracle Java 7 Update 191 / 7u191 / 1.7.0_191 (or above) or Java 8 Update 181 / 8u181 / 1.8.0_181 (or above), RSA Identity Governance & Lifecycle collectors of Data Source Type Ldap and Active Directory fail.

A test of the collector (Collectors > {Type of Collector} > {Collector Name} > Test) may return one of the following errors on the RSA Identity Governance & Lifecycle user interface screen:
 
com.aveksa.common.ConnectException: There is an error establishing a connection with the LDAP directory.
Please confirm the settings are correct.

or
 
Collector test failed: com.aveksa.server.runtime.ServerException:
Test request failed with response: com.aveksa.server.runtime.ServerException: com.aveksa.common.ConnectException:
Error in get connection to UserDirectory. Caused by javax.naming.CommunicationException: 192.168.26.120:636
[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.26.120 found].


The aveksaServer.log has the following errors:
  
08/13/2018 18:11:31.752 WARN (ApplyChangesRegularThread-1198) [com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil] 
com.aveksa.common.ConnectException: Invalid Certificate, it may be expired or not valid. Please enter valid PEM format certificate in Certificate field. 
    at com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil.connect(LdapQueryUtil.java:212) 
    at com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil.testConnection(LdapQueryUtil.java:368) 
    at com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil.performOperation(LdapQueryUtil.java:139) 
    at com.aveksa.collector.accountdata.LdapAccountDataReader.performQuery(LdapAccountDataReader.java:263) 
    at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.performQuery(AccountDataCollector.java:474) 
... 
Caused by: javax.naming.CommunicationException: n.n.n.n:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
    No subject alternative names matching IP address n.n.n.n found] 
... 
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
    No subject alternative names matching IP address n.n.n.n found 
... 
Caused by: java.security.cert.CertificateException:     
    No subject alternative names matching IP address n.n.n.n found 
...

Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the log files for your specific deployment.
 
Cause
For Oracle Java 7 Update 191 / 7u191 / 1.7.0_191 (or above) and Java 8 Update 181 / 8u181 / 1.8.0_181 (or above), there is a security improvement for LDAP support, in that Endpoint identification has been enabled on LDAPS connections (LDAP over SSL).This error means that the certificate does not contain an IP value or LDAP server hostname/FQDN in the Subject Alternative Name (SAN).

For more information, please review the Oracle documentation.
NOTE: If you use a Remote Agent for collections, this security improvement may cause a separate problem with your collectors. Please see RSA Knowledge Base Article 000037409 - Remote collection agents fail with null pointer exception using latest JRE/JDK versions in RSA Identity Governance & Lifecycle for more information.
 
Resolution
RSA Identity Governance & Lifecycle now requires all certificates to contain a valid Subject Alternative Name (SAN) attribute in certificates. The SAN attribute should contain a reference to the host or hosts (if a load balancer is in use) for the LDAP server(s). 

The required value for this reference is dependent on your RSA Identity Governance & Lifecycle version. In versions of RSA Identity Governance & Lifecycle prior to 7.1.1 P05 and 7.2, this reference must be an IP address and optionally an LDAP server Fully Qualified Domain Name (FQDN). The hostname used in the collector’s connection configuration must be an IP address that matches the IP address in the SAN attribute of the LDAP server certificate. Starting in RSA Identity Governance & Lifecycle version 7.1.1 P05 / 7.2 or later, this reference can be an LDAP server Fully Qualified Domain Name (FQDN) or an IP address. The hostname used in the collector’s connection configuration must match with one of those values in the SAN attribute of the LDAP server certificate.  

In all RSA Identity Governance & Lifecycle versions, if the LDAP server certificate does not currently have a SAN attribute that meets these requirements, then new certificates will have to be generated that meet these requirements. See the documentation specific to your LDAP server for more information on how to generate the certificates.
 
Workaround
As a workaround, the certificate check may be skipped or the  hostname validation may be disabled. These options make your deployment less secure and are not recommended except as a last resort.

Option 1: Skip certificate validation.

NOTE: This workaround may not work if you are using RSA Identity Governance & Lifecycle version 7.1.0 releases. Use below Option 2: Disable hostname validation as a workaround if you are using RSA Identity Governance & Lifecycle version 7.1.0 releases.

 
Certificate validation can be skipped by modifying the collector definition. In the RSA Identity Governance & Lifecycle user interface go to Collectors > {Type of Collector} > {Collector Name} > Edit > Next. Under Connection, check Skip Certificate Validation and Finish to save the changes.
 
User-added image



Option 2: Disable hostname validation.

Hostname validation is disabled by setting the Java Option -Dcom.sun.jndi.ldap.object.disableEndpointIdentification to true.
  1. Add the following option to the Java Options (Arguments) for the Application server.
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
  • For WildFly, as the root user, edit the /etc/init.d/aveksa_server file, and add the new option to JAVA_OPTS:
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
  • For a WildFly cluster, as the root user, edit the /etc/init.d/aveksa_cluster file, and add the new option to JAVA_OPTS. Edit this file on every node in the cluster.
  • For WebSphere, login to the Admin Console and add the new option to the Generic JVM arguments.
  • For WebLogic, login to the Admin Console and in the Server Start tab, add the new option to the Arguments field. 
  1. Once the change has been made, restart RSA Identity Governance & Lifecycle:
acm restart

 
Notes
To examine the server side certificate, use the following command: 
openssl s_client -showcerts -connect n.n.n.n:636
where, 
n.n.n.n is the IP address of the server being reported in the error.

For more information on generating certificates for Active Directory, please see the Microsoft Knowledge Base Article entitled How to add a subject alternative name to a secure LDAP certificate.

Related Articles

Trending Articles

Don't see what you're looking for?