The RSA Identity Governance & Lifecycle AD Collector and AD ADC authentication source fail to establish a TLS 1.2 SSL connection with the AD LDAP server
4 years ago
Originally Published: 2018-06-19
Article Number
000041924
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.0, 7.0.1, 7.0.2
 
Issue
The RSA Identity Governance & Lifecycle AD Collector and AD ADC authentication source fail with the following error in the aveksaServer.log file (/home/oracle/wildfly-8.2.0.Final/standalone/log/aveksaServer.log):
  
06/18/2018 00:15:00.416 ERROR (ApplyChangesRegularThread-103) [com.aveksa.collector.accountdata.LdapAccountDataReaderConfig] Error in getting connection to UserDirectory , Root Cause : 
javax.naming.NamingException: JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader com.aveksa.client.datacollector.framework.CollectorClassLoader@1395c8ec 
[Root exception is javax.naming.CommunicationException: simple bind failed: 192.168.1.1:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]
...
Caused by: javax.naming.CommunicationException: simple bind failed: 192.168.1.1:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: .
	...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
	...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	..
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

A tcpdump packet trace of the SSL negotiation shows the SSL failure as Internal Error (80):
  
Secure Sockets Layer
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Internal Error (80)
Cause
This issue may occur if the TLS 1.2 SSL handshake is unable to complete the negotiation of an acceptable cipher during the SSL handshake.   Specifically, the Internal Error (80) relates to a failure of the JDK shared libraries to support TLS 1.2 negotiation.  All current patches of RSA Identity Governance & Lifecycle have the ability to support TLS 1.2 SSL, but there are dependencies on the JDK version that is installed.  Without the appropriate JDK installed, the TLS 1.2 SSL negotiation may fail. 
Resolution
Ensure that you have applied the latest RSA Identity Governance & Lifecycle Java JDK upgrade that is included with the RSA Identity Governance & Lifecycle patch for your version.  Refer to the release notes for the patch for information on how to download and install the JDK upgrade. 

Related Articles

Trending Articles

Don't see what you're looking for?