You are currently reviewing an older revision of this page.

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

In Java 1.8_181 Oracle has enabled stricter endpoint verification for LDAPS connections by default.

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

  1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.
  2. Add the following line to standalone.custom.sh|bat:

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

  1. Using the Configure Script, deploy the changes to JBoss.
  2. Restart JBoss.

Weblogic:

  1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin
  2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat : -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
  3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat
  4. Restart the Weblogic server