Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

AEM LDAP over SSL InvalidConnectionException: SSL handshake failed

Avatar

Level 2
Level 2
6/6/18 8:36:57 AM

We are setting up LDAP over SSL in the AEM 6.3 environment , imported all the required certs in the Java VM cacerts.  we are getting below exception

  06.06.2018 11:20:22.524 *ERROR* [qtp1318568182-277189] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider Error while connecting to the ldap server.

  • org.apache.directory.ldap.client.api.exception.InvalidConnectionException: SSL handshake failed.

at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4190)

at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1314)

As per the Adobe documentation  https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/ldap-config.html , they said it is a known issue see below . What is Netscape comments?

Known issues

If you plan on using LDAP over SSL, make sure the certificates you are using are created without the Netscape comment option. If this option is enabled, authentication will fail with a SSL Handshake error.

Did anyone got this issue? how did you resolved it.

Thanks in Advance.

Thanks,

Chandra

Views

2.2K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee
Employee
6/6/18 9:53:44 AM

Regarding the "Netscape Comment" issue, your certificate shouldn't contain any of the netscape related extensions such as this:

  X509v3 extensions:

       Netscape Comment:

           OpenSSL Generated Certificate

To generate the cert without that included you would need to modify the openssl.cnf file:

1. Comment out all lines like this:

nsComment               = "OpenSSL Generated Certificate"

Just add # before it, e.g.

#nsComment               = "OpenSSL Generated Certificate"

2. Add this line if it doesn't exist:

extendedKeyUsage=serverAuth

You can validate the certificate with this command:

openssl -x509 -­text ­noout ­-in certificate.crt

View solution in original post

Views

1.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Level 10
Level 10
6/6/18 9:04:27 AM

We have LDAP artilce - but it does not use SSL.

Adobe Experience Manager Help | Configuring Adobe Experience Manager 6.4 to use Apache Directory Ser...

Your message seems to indicate that the cert to connect is not valid.

Anyhow - i am following up with the doc team to see what they meant by this. I agree - this is not clear.

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
6/6/18 9:14:12 AM

LDAP over HTTP is working us, only on SSL is not working.

Thank you for following up with doc team. Please do let me know if you heard any thing from them.

Thanks,

Chandra

Views

1.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee
Employee
6/6/18 9:53:44 AM

Regarding the "Netscape Comment" issue, your certificate shouldn't contain any of the netscape related extensions such as this:

  X509v3 extensions:

       Netscape Comment:

           OpenSSL Generated Certificate

To generate the cert without that included you would need to modify the openssl.cnf file:

1. Comment out all lines like this:

nsComment               = "OpenSSL Generated Certificate"

Just add # before it, e.g.

#nsComment               = "OpenSSL Generated Certificate"

2. Add this line if it doesn't exist:

extendedKeyUsage=serverAuth

You can validate the certificate with this command:

openssl -x509 -­text ­noout ­-in certificate.crt

Views

1.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Pipeline-free URL Redirects is not working in AEM Cloud Dispatcher Solved

Views

149

Likes

0

Replies

5
Reg: Video Smartcrops in AEM 6.5

Views

44

Likes

0

Replies

1
AEM session management and user access

Views

92

Likes

0

Replies

3
AEM Clud migration: Strategy to reduce ACS AEM Commons dependency

Views

62

Likes

0

Replies

1
How to mask the image in AEM?

Views

113

Likes

0

Replies

3