Deployment Could hang intermittent when RA is configured to Authenticate Against LDAP Servers which are configured with Round Robin .

Document ID : KB000008330
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

A deployment could hang indefinitely when:

  • An action attempts to authenticate against an LDAP server.
  • The LDAP server in question belongs to a group of LDAP servers.
  • The server group is configured in a round robin configuration.
  • The round robin configuration includes automatically rotating IP addresses and SSL certificates.
  • The action attempts to execute during the rotation of the SSL certificates . 

The last point is of particular note, because it results in the hang appearing to be an intermittent issue. The deployment will run successfully when no round robin rotation occurs during deployment execution. 

A key symptom that will occur in this scenario is the appearance of the following error in the NAC's nolio_dm_all.log:

[ContinueStageExecutionTask-54571] ERROR (com.nolio.platform.server.dataservices.services.auth.retrieval.authorization.NolioActiveDirectoryAuthorizationRetriever:68) - Error while trying to fetch users authorities from Active Directory using tokenGroups 

javax.naming.CommunicationException: simple bind failed: abc.company.com:3269 [Root exception is javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation] 

 

Cause:

Release Automation versions up to 6.5 use httpclient 4.3.2 with Java 1.8.073. A check feature was introduced in this version of Java and httpclient to address the Poodle vulnerability. The execution of the check will cause a deployment to hang if an IP address / SSL certificate rotation occurs during LDAP authentication. 

Resolution:

Product Development is reviewing this issue with Java and httpclient, but in the interim, the following workaround can be implemented to force Java and Tomcat to ignore the certificate change during a round robin rotation. 

Edit the catalina.sh (Linux/Unix) or the catalina.bat (Windows) and add the following:

JVM_OPTS="$JVM_OPTS -Djdk.tls.allowUnsafeServerCertChange=true -Dsun.security.ssl.allowUnsafeRenegotiation=true"

Ensure that the above line is added before this line:

CATALINA_OPTS="$REMOTE_DEBUG $JVM_OPTS $AGENT_PATHS $JAVA_AGENTS $JAVA_LIBRARY_PATH"