We are trying to update JAVA version packed with WebSphere . After we update JAVA we started getting below error when connecting LDAP over SSL . Due to this error we are not able to login to WebSphere Admin console as well as Application that used LDAP that was integrated with in WebSphere .
Root Cause:
The reason this error in java 1.8.0_181 is because this update includes security improvements for LDAP support. “Endpoint identification” has been enabled on LDAPS connections.
According to JDK 8u181 Update Release Notes, endpoint identification algorithms have been enabled by default to improve the robustness of LDAPS (secure LDAP over TLS) connections.
Solution
1)Regenerate the LDAP server certificate so that the certificate’s subject alternate name or certificate’s subject name matches the hostname of the LDAP server.
2)Disable endpoint identification by setting the system property:
com.sun.jndi.ldap.object.disableEndpointIdentification=true
If LDAPS in enabled and LDAPAuthentication is active Registry in WebSphere then follow below steps to add JVM argument .
For Standalone profile follow below steps
1.Disable security by manually by editing security.xml under WAS_HOME/config/cells/Cell01/ update enabled="false" first occurrence in the file .
2.Kill the Admin server process.
3.Now start the Admin server .
4.Login to the Admin console and add JVM argument -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
5.Update security.xml with enabled="true" and start standalone profile with startServer.sh server1 and try to login with Ldap id For Network Deployment follow below steps
| Application Server1. In the Administration Console select Servers 2. Expand Server Type and select WebSphere application servers 3. Click on the name of your server 4. Expand Java and Process Management and select Process Definition. 5. Under the Additional Properties section, click Java Virtual Machine. 6. Scroll down and locate the textbox for Generic JVM arguments. 7. -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true Click on Apply Save the Changes and Restart the WAS |
| Nodeagent1. In the Administration Console, select System Administration 2. Select Node agents 3. Choose which nodeagent to edit 4. In the Server Infrastructure section, expand Java and Process Management and select Process Definition. 5. Under the Additional Properties section, click Java Virtual Machine. 6. Scroll down and locate the textbox for Generic JVM arguments. 7. -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true Click on Apply Save the Changes and Restart the WAS |
| Deployment Manager1. In the Administration Console, select System Administration 2. Select Deployment manager 3. In the Server Infrastructure section, expand Java and Process Management and select Process Definition. 4. Under the Additional Properties section, click Java Virtual Machine. 5. Scroll down and locate the textbox for Generic JVM arguments. 6. -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true Click on Apply Save the Changes and Restart the WAS |