Oracle Unified Directory SSLHandshakeException with Java 1.8.0_181

A couple of days ago I did update my Oracle Unified Directory Docker images with the latest bundle patch for OUD as well the latest java version. With the new Docker images I was about to reproduce a use case from a customer. Everything actually worked at first glance, but after a while I did realise, that my OUD Docker remains in status “unhealthy”. It seems that my status script is not able to get a clear status of the OUD instance. In particular the command “status” does fail.

oracle@oud3:~/ [oud_docker] status --trustall \
-D "cn=Directory Manager" -j $PWD_FILE

Error reading configuration. Details:
javax.naming.CommunicationException: 0.0.0.0:4444 [Root exception is 
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
No subject alternative names present]

I’ve tried to drill down the root cause of this issue, but haven’t been successfully. After a hint from a workmate, I took a look into the release notes of Java 1.8.0 update 181. It looks like the latest java 1.8.0 update includes security improvements for LDAP support.

Changes
core-libs/javax.naming
➜ Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.

To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

JDK-8200666 (not public)

My first intention was to adjust the java.properties and disable endpoint identification just for status. But I was not successful. As a workaround I’ve set the java arguments -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true with the environment variable OPENDS_JAVA_ARGS. This seems to work as expected.

oracle@oud3:~/ [oud_docker] export OPENDS_JAVA_ARGS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
oracle@oud3:~/ [oud_docker] status --trustall \
  -D "cn=Directory Manager" -j $PWD_FILE

--- Server Status ---
Server Run Status:        Started
Open Connections:         1

--- Server Details ---
Host Name:                oud3
Administrative Users:     cn=Directory Manager
Installation Path:        /u00/app/oracle/product/fmw12.2.1.3.0/oud
Instance Path:            /u01/instances/oud_docker/OUD
Version:                  Oracle Unified Directory 12.2.1.3.180626
Java Version:             1.8.0_181
Administration Connector: Port 4444 (LDAPS)

--- Connection Handlers ---
Address:Port : Protocol               : State
-------------:------------------------:---------
--           : LDIF                   : Disabled
0.0.0.0:161  : SNMP                   : Disabled
0.0.0.0:1389 : LDAP (allows StartTLS) : Enabled
0.0.0.0:1636 : LDAPS                  : Enabled
0.0.0.0:1689 : JMX                    : Disabled

--- Data Sources ---
Base DN:     cn=OracleContext
Backend ID:  OIDCompatibility
Entries:     34
Replication: Disabled

Base DN:     cn=OracleContext,dc=example,dc=com
Backend ID:  OracleContext0
Entries:     17
Replication: Disabled

Base DN:     cn=OracleSchemaVersion
Backend ID:  OIDCompatibility
Entries:     3
Replication: Disabled

Base DN:     cn=virtual acis
Backend ID:  virtualAcis
Entries:     0
Replication: Disabled

Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:     1
Replication: Disabled

This workaround temporarily disable the endpoint identification, although the correct method would be to fix and use it. For now there is a MOS bug related to this issue. This enhance the chance that this will be fixed in a future release. Till then you can easily workaround setting the environment variable.

A few links related to this short blog post:

  • Blog post on Oracle Unified Directory on Docker
  • MOS Bug 28525374 SSLHANDSHAKEEXCEPTION WHEN CREATING OUD INSTANCE WITH JAVA 1.8.0_181
  • MOS Note OUD – How To Configure the Default JVM and Java Arguments with Environment Variables or by Modification of the java.properties File 2220584.1
  • My genuine Docker build scripts for Oracle Unified Directory on GitHub (oehrlis/docker)
  • Oracle Docker build scripts for Oracle Unified Directory on GitHub (oracle/docker-images) yep from me too 🙂

3 thoughts on “Oracle Unified Directory SSLHandshakeException with Java 1.8.0_181

  1. Mahendra

    The java.properties update works too. Just need to set the ‘overwrite-env-java-home=true’ flag in java.properties as well.

    ########## steps to disable endpoint auth ##########3
    overwrite-env-java-home=true


    status.java-args=-client -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Comments are closed.