Environment
Identity Governance (Access Review) 3.5
Situation
During a new 3.5 install with a local OSP, pointing at an exisitng IDV ldap source you get the following error when viewing the OSP log with OSP debugging enabled.
"java.security.cert.CertificateException: No name matching error"
You may also see the following stack trace in the OSP logs:
"java.security.cert.CertificateException: No name matching error"
You may also see the following stack trace in the OSP logs:
reamble: [OIDP] Priority Level: INFO Java: internal.osp.oidp.service.oauth2.handler.WellKnown.addSupportedScopesAndClaims() [397] thread=http-nio-8080-exec-7 Time: 2019-01-03T08:28:36.993-0800 Log Data: Error obtaining schema for auth source 'bisadus: internal.atlaslite.jcce.ldap.jndi.JNDIExceptionLDAPServiceNotAvailable: No LDAP connection available. internal.atlaslite.jcce.ldap.jndi.JNDIStore: JNDIStore.java: getIdentitySchema: 783 internal.osp.oidp.service.source.ldap.LDAPSource: LDAPSource.java: getNativeIdentitySchema: 970 internal.osp.oidp.service.source.DataSourceImpl: DataSourceImpl.java: getSchema: 615 internal.osp.oidp.service.source.ldap.LDAPAuthenticationSource: LDAPAuthenticationSource.java: getSchema: 455 internal.osp.oidp.service.oauth2.handler.WellKnown: WellKnown.java: addSupportedScopesAndClaims: 379 internal.osp.oidp.service.oauth2.handler.WellKnown: WellKnown.java: handle: 273 internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: processRequest: 447 internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler: AuthenticationServiceRequestHandler.java: handleRequest: 380 internal.osp.framework.handler.TenantRequestHandler: TenantRequestHandler.java: handleRequest: 155 internal.osp.framework.handler.OSPHandler: OSPHandler.java: handleRequest: 157 internal.osp.framework.servlet.OSPServlet: OSPServlet.java: process: 214 internal.osp.framework.servlet.OSPServlet: OSPServlet.java: doGet: 156 javax.servlet.http.HttpServlet: HttpServlet.java: service: 634 javax.servlet.http.HttpServlet: HttpServlet.java: service: 741 org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 231 org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166 org.apache.tomcat.websocket.server.WsFilter: WsFilter.java: doFilter: 53 org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 193 org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166 org.apache.catalina.core.StandardWrapperValve: StandardWrapperValve.java: invoke: 199 org.apache.catalina.core.StandardContextValve: StandardContextValve.java: invoke: 96 org.apache.catalina.authenticator.AuthenticatorBase: AuthenticatorBase.java: invoke: 607 org.apache.catalina.core.StandardHostValve: StandardHostValve.java: invoke: 139 org.apache.catalina.valves.ErrorReportValve: ErrorReportValve.java: invoke: 92 org.apache.catalina.valves.AbstractAccessLogValve: AbstractAccessLogValve.java: invoke: 668 org.apache.catalina.core.StandardEngineValve: StandardEngineValve.java: invoke: 74 org.apache.catalina.connector.CoyoteAdapter: CoyoteAdapter.java: service: 343 org.apache.coyote.http11.Http11Processor: Http11Processor.java: service: 408 org.apache.coyote.AbstractProcessorLight: AbstractProcessorLight.java: process: 66 org.apache.coyote.AbstractProtocol$ConnectionHandler: AbstractProtocol.java: process: 770 org.apache.tomcat.util.net.NioEndpoint$SocketProcessor: NioEndpoint.java: doRun: 1,415 org.apache.tomcat.util.net.SocketProcessorBase: SocketProcessorBase.java: run: 49 java.util.concurrent.ThreadPoolExecutor: ThreadPoolExecutor.java: runWorker: 1,149 java.util.concurrent.ThreadPoolExecutor$Worker: ThreadPoolExecutor.java: run: 624 org.apache.tomcat.util.threads.TaskThread$WrappingRunnable: TaskThread.java: run: 61 java.lang.Thread: Thread.java: run: 748
Resolution
Since this issue is happening on Secure LDAP, the behavior is caused by the Subject of the eDirectory certificate does not match the full DNS name of the actual server.
For example if the Subject on the Certificate is:
CN=Test,O=MyTree
and the DNS Name of the server is:
test.netiq.com
The two do not match and you are experiencing a side effect of java
1.8.0.181 (or later) that is now performing a more complex compare on these.
You have two (2) options:
a) update the certificate to have the Subject match the actual DNS name
(For Example: CN=Test.netiq.com, O=MyTee)
b) In the setenv(.sh/bat) in the JAVA_OPTS section add the following entry:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Then restart Tomcat and try again.