System Administrator
Jahia 7.3
Jahia 8
LDAPs and OpenJDK11
Question
I have switched to OpenJDK 11 and my LDAP provider, using a SSL connection, is not working anymore. I have the following error:
2019-07-03 09:07:43,088: ERROR [CM Configuration Updater (ManagedServiceFactory Update: factoryPid=[org.jahia.services.usermanager.ldap])] org.jahia.services.usermanager.ldap.LDAPUserGroupProvider: An error occurred while communicating with the LDAP server ldap
org.springframework.ldap.CommunicationException: sso.jahia.com:636; nested exception is javax.naming.CommunicationException: sso.jahia.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:440)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:271)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:1604)
at org.jahia.services.usermanager.ldap.LDAPUserGroupProvider$3.doInLdap(LDAPUserGroupProvider.java:410)
at org.jahia.services.usermanager.ldap.LDAPUserGroupProvider$3.doInLdap(LDAPUserGroupProvider.java:405)
at org.jahia.services.usermanager.ldap.communication.LdapTemplateWrapper.execute(LdapTemplateWrapper.java:62)
at org.jahia.services.usermanager.ldap.LDAPUserGroupProvider.isAvailable(LDAPUserGroupProvider.java:405)
at org.jahia.modules.external.users.impl.UserDataSource.isAvailable(UserDataSource.java:244)
at org.jahia.modules.external.ExternalSessionImpl.getRootNode(ExternalSessionImpl.java:188)
at org.jahia.services.content.JCRStoreProvider.checkAvailability(JCRStoreProvider.java:410)
at org.jahia.services.content.JCRStoreProvider.isAvailable(JCRStoreProvider.java:387)
at org.jahia.services.content.JCRStoreProvider.isAvailable(JCRStoreProvider.java:376)
at org.jahia.services.content.JCRStoreProvider.start(JCRStoreProvider.java:341)
at org.jahia.modules.external.ExternalContentStoreProvider.start(ExternalContentStoreProvider.java:160)
at org.jahia.services.content.JCRStoreProvider.start(JCRStoreProvider.java:326)
at org.jahia.modules.external.users.impl.ExternalUserGroupServiceImpl.register(ExternalUserGroupServiceImpl.java:157)
at org.jahia.modules.external.users.BaseUserGroupProvider.register(BaseUserGroupProvider.java:78)
at org.jahia.services.usermanager.ldap.JahiaLDAPConfig.setContext(JahiaLDAPConfig.java:271)
at org.jahia.services.usermanager.ldap.JahiaLDAPConfigFactory.updated(JahiaLDAPConfigFactory.java:119)
at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.updated(ManagedServiceFactoryTracker.java:159)
at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.provideConfiguration(ManagedServiceFactoryTracker.java:93)
at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceFactoryUpdate.provide(ConfigurationManager.java:1602)
at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceFactoryUpdate.run(ConfigurationManager.java:1545)
at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:143)
at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:110)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.naming.CommunicationException: sso.jahia.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:237)
at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1610)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2752)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
... 29 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:348)
at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
... 43 more
Answer
By default in OpenJDK 11, the TLS version of the protocol used in the 1.3. If your LDAP does not support this protocol, it will fails. The bug was reported there: https://bugs.openjdk.java.net/browse/JDK-8213202
To workaround it you have to use the version 1.2 by following these steps:
- Modify the file DX_HOME/tomcat/bin/setenv.sh and add the parameter -Djdk.tls.client.protocols=TLSv1.2 to the variable CATALINA_OPTS
- Restart Jahia