KB-1644 LDAP Sync service from the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Symptoms

After updating Java to 1.8_181, the LDAP Sync service provided by the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

Oracle has enabled stricter endpoint verification for LDAPS connections by default in Java 1.8_181. As a result, the LDAP sync process is calling the LDAP server by an IP or hostname that is not present in the LDAP server certificate's subject or SAN field, causing the call to fail.

Action

Update the certificate presented by the LDAP server to include the URL or the IP address that the LDAP sync process is calling in the certificate's SAN field. Alternatively, update the LDAP sync settings to call the LDAP server by the certificate's subject or an entry in the certificate's SAN field.

Workaround

The endpoint verification can be disabled by performing the following steps:

Tomcat (Appian 18.3 and later):

1. Navigate to <APPIAN_HOME>\tomcat\apache-tomcat\bin.

2. Add the following line to the setenv.sh|bat file:

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

3. Restart the Tomcat application server.

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat 

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat : 

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server.

Note: Cloud customers should open a Support Case on Community to request that this property be added to their site.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: April 2019

Related
Recommended