After applying updates to Filr 3.x, the following problems may be seen:
- New users do not import into the Appliance
- User authentications fail
After starting the LDAP synchronization operation, the /var/opt/novell/tomcat-filr/logs/appserver.log may contain an error such as (where e.g. 10.0.0.1 is the source LDAP server):
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.0.0.1 found]
This issue might be seen when configuring the LDAP server in Filr to import the users using the remote server's IP address while using secure connection, and the certificate sent from the LDAP server does not contain the SAN attribute or the SAN attribute only has the DNS names and not the IP address of the LDAP server configured on the appliance. This can be the case, for example, when using wildcard certificates. As wildcard certificates can be used in all servers, the certificate will not have the IP address in the SAN attribute.
1. Ideally, (re)create the certificate on the source LDAP server to include a SAN (Subject Alternative Name) attribute which contains the server's DNS name and IP address. For example, if you check eDir certificates, by default they are created with both the server name and IP address in the SAN.
2. Disable the end point check. This will fix the issue but it will decrease security:
a) Stop the Filr service ârcfilr stopâ If this service fails to stop, you will need to kill the process.b) Add the â-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=trueâ parameter in the âJAVA_OPTSâ variable present in the file â/opt/novell/filr/apache-tomcat/bin/catalina.shâ and save the file.
Before Modification :
JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true -Djavax.xml.transform.TransformerFactory=org.apache.xalan.processor.TransformerFactoryImplâ
JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true -Djavax.xml.transform.TransformerFactory=org.apache.xalan.processor.TransformerFactoryImpl -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
c) Start the filr service ârcfilr startâ
After making these changes, LDAP synchronization will work again without changing the SSL certificate or the LDAP configuration, but the deployment should be upgraded to Filr 4, as this workaround is only temporarily.
New security measures enforce the validation of the certificate SAN attribute. Previously, the CN (Common Name) was sufficient.
If the current certificate does not have a SAN, LDAPS communication will fail.
NOTE: eDir certificates newer than 2017 or external certificate that contains the SAN attribute, will not be affected. In 2017, eDir implemented the SAN attribute on the eDir certificate.
This new java version has implemented some security checks on certificates that causes this issue.
If customers needs additional information, the below links explains about this security update: