You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2018/08/09 16:36:00 UTC
[jira] [Updated] (AMBARI-24447) No subject alternative DNS name
exception encountered when Enabling Kerberos against an Active Directory
even when SSL verification is off
[ https://issues.apache.org/jira/browse/AMBARI-24447?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Levas updated AMBARI-24447:
----------------------------------
Description:
No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off.
{noformat}
2018-08-09 14:48:28,275 WARN [ambari-client-thread-35] ADKerberosOperationHandler:471 - Failed to communicate with the Active Directory at ldaps://adserver.example.com:636: adserver.example.com:636
javax.naming.CommunicationException: adserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
...
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1026)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
{noformat}
Note: This occurs when the hostname embedded in the SSL certificate does not match the hostname of the Active Directory host and Open JDK 1.8.181-b13 is used. This is not seen when Oracle JDK is used.
{noformat:title=Observed with this version of JDK}
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
{noformat}
{noformat:title=Not observed with this version of JDK}
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
{noformat}
*Solution*
The {{org.apache.ambari.server.security.InternalSSLSocketFactory.LenientTrustManager}} class needs to extend {{javax.net.ssl.X509ExtendedTrustManager}} and do nothing in the additional overridden methods.
was:
No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off.
{noformat}
2018-08-09 14:48:28,275 WARN [ambari-client-thread-35] ADKerberosOperationHandler:471 - Failed to communicate with the Active Directory at ldaps://adserver.example.com:636: adserver.example.com:636
javax.naming.CommunicationException: adserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
...
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1026)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
{noformat}
Note: This occurs when the hostname embedded in the SSL certificate does not match the hostname of the Active Directory host and Open JDK 1.8.181-b13 is used. This is not seen when Oracle JDK is used.
{noformat:title=Observed with this version of JDK}
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
{noformat}
{noformat:title=Not observed with this version of JDK}
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
{noformat}
> No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off
> ------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-24447
> URL: https://issues.apache.org/jira/browse/AMBARI-24447
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.7.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Major
> Fix For: 2.7.1
>
>
> No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off.
> {noformat}
> 2018-08-09 14:48:28,275 WARN [ambari-client-thread-35] ADKerberosOperationHandler:471 - Failed to communicate with the Active Directory at ldaps://adserver.example.com:636: adserver.example.com:636
> javax.naming.CommunicationException: adserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.]
> at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
> at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
> ...
> Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
> ...
> Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
> at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
> at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1026)
> at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993)
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> {noformat}
> Note: This occurs when the hostname embedded in the SSL certificate does not match the hostname of the Active Directory host and Open JDK 1.8.181-b13 is used. This is not seen when Oracle JDK is used.
> {noformat:title=Observed with this version of JDK}
> openjdk version "1.8.0_181"
> OpenJDK Runtime Environment (build 1.8.0_181-b13)
> OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
> {noformat}
> {noformat:title=Not observed with this version of JDK}
> java version "1.8.0_112"
> Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
> Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
> {noformat}
> *Solution*
> The {{org.apache.ambari.server.security.InternalSSLSocketFactory.LenientTrustManager}} class needs to extend {{javax.net.ssl.X509ExtendedTrustManager}} and do nothing in the additional overridden methods.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)