ldap connection broken after applying API Gateway patch

Document ID : KB000115251
Last Modified Date : 19/12/2018
Show Technical Document Details
Issue:
Once the update is applied, any API's that use the ldap host, the connection test in the identity provider window, and even logins to Policy Manager using ldap credentials will fail.

This is the output seen in ssg_0_0.log:

com.l7tech.server.identity.ldap.LdapUrlProviderImpl: Trying to recover using this url: ldaps://ldaphost_name:636
com.l7tech.server.identity.ldap.LdapIdentityProviderImpl: Could not establish context using LDAP URL ldaps://ldaphost_name:636. ldaphost_name:636. Caused by: No name matching ldaphost_name found

If additional SSL debugging was enabled and sent to a dedicated debug log on Gateway this is the output:

%% Invalidated: [Session-281, TLS_RSA_WITH_AES_256_CBC_SHA256]
tomcat-exec-executor-497, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
tomcat-exec-executor-497, WRITE: TLSv1.2 Alert, length = 2
tomcat-exec-executor-497, called closeSocket()
tomcat-exec-executor-497, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ldaphost_name found
Environment:
CA API Gateway 9.3 CR03
Any LDAP technology that requires certificate verification to connect to a secure port.
This can also happen when applying the 9.2 CR10 patch.
 
Cause:
After researching this issue it has come to our attention that this problem appears to be related to the updated Oracle JDK in API Gateway 9.3 CR03 that is being used.
Reference the JDK 1.8_181 release notes:
http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html

core-libs/javax.naming
➜ Improve LDAP support

Endpoint identification has been enabled on LDAPS connections.

To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
 
Resolution:
This update to JDK essentially means that certificates require a common name for the endpoint to make a successful connection. This is accomplished by including Subject Alternative Names in the cert makeup. This would pass any and all common names (Not Ip addresses) that the certificate refers to as the "ldaphost_name". This includes aliases to load balancers.
Unfortunately the Policy Manager for API Gateway 9.3 does not have the ability to add SAN's to a Certificate Signing Request. This would need to be done using another method like OpenSSL.

The workaround is to use the setting supplied in the java release notes.

For Gateway this would be adding the below line to /opt/SecureSpan/Gateway/runtime/etc/profile.d/ssgruntimedefs.sh

default_java_opts="$default_java_opts -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

Then restarting Gateway.





 
Additional Information:
Oracle didn't fix a vulnerability but rather imposed a "secure by default" stance on identity verification (i.e. certificate verification). So using com.sun.jndi.ldap.object.disableEndpointIdentification flag does not impose any security regression on the deployment. However, it is a stronger security posture that Oracle is proposing and it requires the deployment to have tighter certificate management regime on the solution. The certificate provisioned to the ldap server has to have a matching common name that API Gateway is using to connect to the ldap server.