GroupWise LDAP sync using SSL fails without obvious errors

  • 7023394
  • 28-Sep-2018
  • 28-Sep-2018

Environment


GroupWise 18

Situation

GroupWise is configured with an LDAP connection using SSL.  The LDAP sync fails with no obvious error message in the MTA log.  In the LDAP Directory configuration screen, clicking on Test Connection fails with a generic error message.  The SSL certificate is not expired. 

Resolution

Ensure a valid certificate with a proper host name in the Subject Alternative Names field is being used.

Cause

Due to recent changes in Java if the address provided to connect to an LDAP server does not match the CN of the LDAP server certificate, or Subject Alternative Names, the handshake will fail by default.

Additional Information

With the log level of the gwadminservice set to debug, the following error message will be observed in the gwadmin-console.log file:

2018-09-26 14:03:12 LdapServer [DEBUG] Creating LDAP connection at ldaps://10.0.0.52:636/
2018-09-26 14:03:12 LdapServer [FATAL] Error building connection to ldap server 'ROOT'
javax.naming.CommunicationException: 10.0.0.52:636

and further down after the Java error information:

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.0.0.52 found