Gateway Version 9.4 Is Unable To Connect To Identity Provider Over LDAPS

Document ID : KB000124354
Last Modified Date : 10/01/2019
Show Technical Document Details
Issue:
Using Gateway release 9.4 we are seeing that we are unable to connect
to our LDAP Identity Provider over the ldaps protocol.  We are not experiencing this problem
with the same exact configuration in earlier releases of the gateway.

Looking at the ssg_0_0.log we see the following kind of error when attempting
to test the connection to the identity provider:

com.l7tech.server.identity.ldap.LdapIdentityProviderImpl: Could not establish context using LDAP URL ldaps://xxxxx.com:636. xxxxx.com:636. Caused by: No subject alternative DNS name matching xxxxx.com found.
Environment:
Gateway 9.4
Cause:
The java version used in 9.4 has been updated to 1.8.0_181 whereas on a base 9.3 install it is 1.8.0_152. 

Looking at the Oracle release notes for java version 1.8.0_181 
https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html Changes core-libs/javax.naming

Information on the following change is provided:

Improve LDAP support Endpoint identification has been enabled on LDAPS connections. To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default. Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification. Define this system property (or set it to true) to disable endpoint identification algorithms.
Resolution:
Oracle has imposed a more secure position on identity verification (i.e. certificate verification) and is requiring deployments to
have a tighter certificate management process.

The certificate provisioned to the ldap server has to have a matching common name that the Gateway is using to connect to the ldap server.
Be certain that your SAN certificates contain all appropriate host names.

You can also disable this new endpoint identification feature introduced by Oracle by setting the following property on the gateway:

add the following to /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties file

com.sun.jndi.ldap.object.disableEndpointIdentification=true


Then restart the gateway service for the change to take effect and you should now be able to connect successfully to your LDAP Identity Provider.