Date Posted:
Product: TIBCO Spotfire®
Product: TIBCO Spotfire®
Problem:
LDAPS authentication or synchronization fails with "No subject alternative DNS name matching found" error
Solution:
An LDAP authentication or synchronization may fail and the following warning can be seen in TIBCO Spotfire Server server.log file:
WARN 2019-01-11T23:29:50,436-0500 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapSearcher: Error performing an LDAP search javax.naming.PartialResultException: null Caused by: javax.naming.CommunicationException: XXXX:636 Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching XXXX found. Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching XXXX found.
Starting in version 1.8.0_181 of the Java Development Kit, or JDK, there was a change in the way the LDAP hostname is validated. The change was made to increase security and thus the exception reported above is a valid error that should be corrected. For additional details on the change, see the JDK 1.8.0_181 Release Notes under the Improve LDAP Support section. This change introduced in JDK version 1.8.0_181 adds additional security and improves the robustness of LDAPS (secure LDAP over TLS) connections by enabling endpoint identification algorithms by default. That means there may be situations where previously working LDAPS connections stop working after an upgrade to Spotfire version 10.0 and higher, as Spotfire version 10 includes the JDK version 1.8.0_181 (Java SE Development Kit 8, Update 181) is bundled with Spotfire starting with v10.0.0. Because of this there may now be a need to regenerate your certificates to include the complete URL for your LDAP server.
To resolve the issue:
Regenerate your certificate to include the complete LDAP server URL
When regenerating the certificate:
- Ensure that you include the complete URL for your LDAP server in the certificate, in either the Subject or Alternate Name extension of the certificate.
- Ensure that all of your hostname, CNAME, DNS entries are all up to date and the server names match the certificates
Comments
0 comments
Article is closed for comments.