Secure LDAP user import and authentication fails after Filr 3 update

Document ID:7024572
Creation Date:17-Apr-2020
Modified Date:22-Apr-2020
- Micro Focus Products:
  Filr

Environment

Filr 3

Situation

After applying updates to Filr 3.x, the following problems may be seen:

New users do not import into the Appliance
User authentications fail

After starting the LDAP synchronization operation, the /var/opt/novell/tomcat-filr/logs/appserver.log may contain an error such as (where e.g. 10.0.0.1 is the source LDAP server):

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.0.0.1 found]

This issue might be seen when configuring the LDAP server in Filr to import the users using the remote server's IP address while using secure connection, and the certificate sent from the LDAP server does not contain the SAN attribute or the SAN attribute only has the DNS names and not the IP address of the LDAP server configured on the appliance. This can be the case, for example, when using wildcard certificates. As wildcard certificates can be used in all servers, the certificate will not have the IP address in the SAN attribute.

Resolution

Possible solutions:

1. Ideally, (re)create the certificate on the source LDAP server to include a SAN (Subject Alternative Name) attribute which contains the server's DNS name and IP address. For example, if you check eDir certificates, by default they are created with both the server name and IP address in the SAN.

2. Disable the end point check. This will fix the issue but it will decrease security:

a) Stop the Filr service “rcfilr stop” If this service fails to stop, you will need to kill the process.
b) Add the “-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true” parameter in the “JAVA_OPTS” variable present in the file “/opt/novell/filr/apache-tomcat/bin/catalina.sh” and save the file.

For example:

Before Modification :

JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true -Djavax.xml.transform.TransformerFactory=org.apache.xalan.processor.TransformerFactoryImpl”

After Modification:

JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true -Djavax.xml.transform.TransformerFactory=org.apache.xalan.processor.TransformerFactoryImpl -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

c) Start the filr service “rcfilr start”

After making these changes, LDAP synchronization will work again without changing the SSL certificate or the LDAP configuration, but the deployment should be upgraded to Filr 4, as this workaround is only temporarily.

Cause

New security measures enforce the validation of the certificate SAN attribute. Previously, the CN (Common Name) was sufficient.

If the current certificate does not have a SAN, LDAPS communication will fail.

NOTE: eDir certificates newer than 2017 or external certificate that contains the SAN attribute, will not be affected. In 2017, eDir implemented the SAN attribute on the eDir certificate.

Additional Information

This new java version has implemented some security checks on certificates that causes this issue.

If customers needs additional information, the below links explains about this security update:

https://medium.com/@sajithekanayaka/solved-java-security-cert-certificateexception-no-subject-alternative-names-present-eec1669faf0d

https://www.ibm.com/support/pages/how-resolve-ldap-error-javaxnetsslsslhandshakeexception-javasecuritycertcertificateexception-no-subject-alternative-dns-name-matching-ip-address-found