Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-24447

No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off

    XMLWordPrintableJSON

    Details

      Description

      No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off.

      2018-08-09 14:48:28,275  WARN [ambari-client-thread-35] ADKerberosOperationHandler:471 - Failed to communicate with the Active Directory at ldaps://adserver.example.com:636: adserver.example.com:636
      javax.naming.CommunicationException: adserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.]
              at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
              at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
      ...
      Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
              at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
              at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
      ...
      Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
              at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
              at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
              at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
              at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1026)
              at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993)
              at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
      

      Note: This occurs when the hostname embedded in the SSL certificate does not match the hostname of the Active Directory host and Open JDK 1.8.181-b13 is used. This is not seen when Oracle JDK is used.

      Observed with this version of JDK
      openjdk version "1.8.0_181"
      OpenJDK Runtime Environment (build 1.8.0_181-b13)
      OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
      
      Not observed with this version of JDK
      java version "1.8.0_112"
      Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
      Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
      

      Solution
      The org.apache.ambari.server.security.InternalSSLSocketFactory.LenientTrustManager class needs to extend javax.net.ssl.X509ExtendedTrustManager and do nothing in the additional overridden methods.

        Attachments

          Activity

            People

            • Assignee:
              rlevas Robert Levas
              Reporter:
              rlevas Robert Levas
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 20m
                1h 20m