KB-1644 LDAP Sync service from the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Jordan Horwat — Tue, 16 Apr 2019 21:19:19 GMT

Current Revision posted to Appian Knowledge Base by Jordan Horwat on 4/16/2019 9:19:19 PM

Symptoms

After updating Java to 1.8_181, the LDAP Sync service provided by the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

Oracle has enabled stricter endpoint verification for LDAPS connections by default in Java 1.8_181. As a result, the LDAP sync process is calling the LDAP server by an IP or hostname that is not present in the LDAP server certificate's subject or SAN field, causing the call to fail.

Action

Update the certificate presented by the LDAP server to include the URL or the IP address that the LDAP sync process is calling in the certificate's SAN field. Alternatively, update the LDAP sync settings to call the LDAP server by the certificate's subject or an entry in the certificate's SAN field.

Workaround

The endpoint verification can be disabled by performing the following steps:

Tomcat (Appian 18.3 and later):

1. Navigate to <APPIAN_HOME>\tomcat\apache-tomcat\bin.

2. Add the following line to the setenv.sh|bat file:

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

3. Restart the Tomcat application server.

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server.

Note: Cloud customers should open a Support Case on Community to request that this property be added to their site.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: April 2019

Tags: java, third-party, plug-ins, integration, LDAP, authentication, plugins

KB-1644 LDAP Sync service from the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Jordan Horwat — Tue, 16 Apr 2019 21:19:00 GMT

Revision 14 posted to Appian Knowledge Base by Jordan Horwat on 4/16/2019 9:19:00 PM

Symptoms

After updating Java to 1.8_181, the LDAP Sync service provided by the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

Action

Workaround

The endpoint verification can be disabled by performing the following steps:

Tomcat (Appian 18.3 and later):

1. Navigate to <APPIAN_HOME>\tomcat\apache-tomcat\bin.

2. Add the following line to the setenv.sh|bat file:

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

3 Restart the Tomcat application server.

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server.

Note: Cloud customers should open a Support Case on Community to request that this property be added to their site.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: April 2019

Tags: java, third-party, integration, LDAP, authentication, shared components, plugins

KB-1644 LDAP Sync service from the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Jordan Horwat — Tue, 16 Apr 2019 21:18:46 GMT

Revision 13 posted to Appian Knowledge Base by Jordan Horwat on 4/16/2019 9:18:46 PM

Symptoms

After updating Java to 1.8_181, the LDAP Sync service provided by the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

Action

Workaround

The endpoint verification can be disabled by performing the following steps:

Tomcat (Appian 18.3 and later):

1. Navigate to <APPIAN_HOME>\tomcat\apache-tomcat\bin.

2. Add the following line to the setenv.sh|bat file:

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

3 Restart the Tomcat application server.

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server.

Note: Cloud customers should open a Support Case on Community to request that this property be added to their site.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: April 2019

Tags: java, third-party, integration, LDAP, authentication, shared components, plugins

KB-1644 LDAP Sync service from the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Parmida Borhani — Fri, 10 Aug 2018 06:53:40 GMT

Revision 12 posted to Appian Knowledge Base by Parmida Borhani on 8/10/2018 6:53:40 AM

Symptoms

After updating Java to 1.8_181, the LDAP Sync service provided by the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

Action

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server.

Note: Cloud customers should open a Support Case on Community to request that this property be added to their site.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: August 2018

Tags: java, third-party, integration, LDAP, authentication, shared components, plugins

LDAP Sync service from the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Thu, 09 Aug 2018 12:25:02 GMT

Revision 11 posted to Appian Knowledge Base by Cali Nelson on 8/9/2018 12:25:02 PM

Symptoms

After updating Java to 1.8_181, the LDAP Sync service provided by the LDAP Tools plugin fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

Action

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server.

Note: Cloud customers should open a Support Case on Community to request that this property be added to their site.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: August 2018

Tags: java, third-party, integration, LDAP, authentication, shared components, plugins

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Parmida Borhani — Wed, 08 Aug 2018 23:47:52 GMT

Revision 10 posted to Appian Knowledge Base by Parmida Borhani on 8/8/2018 11:47:52 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server.

Note: Cloud customers should open a Support Case on Community to request that this property be added to their site.

Action

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: August 2018

Tags: java, third-party, integration, LDAP, authentication, shared components, plugins

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Wed, 08 Aug 2018 18:14:01 GMT

Revision 1 posted to Appian Knowledge Base by Cali Nelson on 8/8/2018 6:14:01 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

In Java 1.8_181 Oracle has enabled stricter endpoint verification for LDAPS connections by default.

Workaround

The endpoint verification can be disabled by performing the following steps:

For JBoss:

Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.
Add the following line to standalone.custom.sh|bat: CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Using the Configure Script, deploy the changes to JBoss.
Restart JBoss.

For Weblogic:

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Wed, 08 Aug 2018 14:33:02 GMT

Revision 9 posted to Appian Knowledge Base by Cali Nelson on 8/8/2018 2:33:02 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

In Java 1.8_181 Oracle has enabled stricter endpoint verification for LDAPS connections by default, and the LDAP sync process is calling the LDAP server by an IP or hostname that is not present in the LDAP server certificate's subject or SAN field.

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server

Note: Cloud customers should open a Support Case on Community to request that this property be added to their site.

Action

Either:

Update the certificate presented by the LDAP server to include the URL or the IP address that the LDAP sync process is calling in the certificate's SAN field.
Update the LDAP Sync settings to call the LDAP server by the certificate's subject or an entry in the certificate's SAN field.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: August 2018

Tags: java, integration, LDAP, shared components, plugins

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Wed, 08 Aug 2018 14:32:30 GMT

Revision 8 posted to Appian Knowledge Base by Cali Nelson on 8/8/2018 2:32:30 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server

Note: Cloud customers should open a Support Case on Community to request that this property be added to their site.

Action

Either:

Update the certificate presented by the LDAP server to include the URL or the IP address that the LDAP sync process is calling in the certificate's SAN field.
Update the LDAP Sync settings to call the LDAP server by the certificate's subject or an entry in the certificate's SAN field.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: August 2018

Tags: java, integration, LDAP, shared components, plugins

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Wed, 08 Aug 2018 14:26:50 GMT

Revision 7 posted to Appian Knowledge Base by Cali Nelson on 8/8/2018 2:26:50 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

In Java 1.8_181 Oracle has enabled stricter endpoint verification for LDAPS connections by default.

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Wed, 08 Aug 2018 14:26:30 GMT

Revision 6 posted to Appian Knowledge Base by Cali Nelson on 8/8/2018 2:26:30 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

In Java 1.8_181 Oracle has enabled stricter endpoint verification for LDAPS connections by default.

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

1. Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin

2. Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat

4. Restart the Weblogic server

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Wed, 08 Aug 2018 14:25:19 GMT

Revision 5 posted to Appian Knowledge Base by Cali Nelson on 8/8/2018 2:25:19 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

In Java 1.8_181 Oracle has enabled stricter endpoint verification for LDAPS connections by default.

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

1. Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.

2. Add the following line to standalone.custom.sh|bat :

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

3. Using the Configure Script, deploy the changes to JBoss.

4. Restart JBoss.

Weblogic:

Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin
Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat : -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat
Restart the Weblogic server

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Wed, 08 Aug 2018 14:23:59 GMT

Revision 4 posted to Appian Knowledge Base by Cali Nelson on 8/8/2018 2:23:59 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

In Java 1.8_181 Oracle has enabled stricter endpoint verification for LDAPS connections by default.

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.
Add the following line to standalone.custom.sh|bat : CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Using the Configure Script, deploy the changes to JBoss.
Restart JBoss.

Weblogic:

Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin
Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat : -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat
Restart the Weblogic server

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Wed, 08 Aug 2018 14:23:25 GMT

Revision 3 posted to Appian Knowledge Base by Cali Nelson on 8/8/2018 2:23:25 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

In Java 1.8_181 Oracle has enabled stricter endpoint verification for LDAPS connections by default.

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.
Add the following line to standalone.custom.sh|bat:

CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Using the Configure Script, deploy the changes to JBoss.
Restart JBoss.

Weblogic:

Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin
Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat : -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat
Restart the Weblogic server

LDAP Sync fails with a javax.net.ssl.SSLHandshakeException after updating to Java 1.8_181

Cali Nelson — Wed, 08 Aug 2018 14:21:50 GMT

Revision 2 posted to Appian Knowledge Base by Cali Nelson on 8/8/2018 2:21:50 PM

Symptoms

After updating Java to 1.8_181, the LDAP sync process fails with a javax.net.ssl.SSLHandshakeException such as the one below:

ERROR com.appiancorp.process.engine.UnattendedJavaActivityRequest - An error occurred while executing activity: id=<ID>, classname=com.appiancorp.ps.plugins.directory.syncwithusernames.ADUserSynchronizationV1 
05:00:03,234 INFO [stdout] (Appian Work Item - 85150 - ProcessExec01 : UnattendedJavaActivityRequest) java.lang.RuntimeException: javax.naming.CommunicationException: <IP_ADDRESS>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]

Cause

In Java 1.8_181 Oracle has enabled stricter endpoint verification for LDAPS connections by default.

Workaround

The endpoint verification can be disabled by performing the following steps:

JBoss:

Navigate to <REPO_HOME>/bin/jboss/jboss-eap-6.4/bin.
Add the following line to standalone.custom.sh|bat: CUSTOM_JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Using the Configure Script, deploy the changes to JBoss.
Restart JBoss.

Weblogic:

Navigate to <WEBLOGIC_HOME>/<project_name>/domains/<domain_name>/bin
Add the following line to the JAVA_OPTIONS in setDomainEnv.sh|.bat : -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Run $DOMAIN_HOME/bin/setDomainEnv.sh|.bat
Restart the Weblogic server