Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

AEM LDAP over SSL InvalidConnectionException: SSL handshake failed

Avatar

Level 2

We are setting up LDAP over SSL in the AEM 6.3 environment , imported all the required certs in the Java VM cacerts.  we are getting below exception

  06.06.2018 11:20:22.524 *ERROR* [qtp1318568182-277189] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider Error while connecting to the ldap server.

  • org.apache.directory.ldap.client.api.exception.InvalidConnectionException: SSL handshake failed.

at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4190)

at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1314)

As per the Adobe documentation  https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/ldap-config.html , they said it is a known issue see below . What is Netscape comments?

Known issues

If you plan on using LDAP over SSL, make sure the certificates you are using are created without the Netscape comment option. If this option is enabled, authentication will fail with a SSL Handshake error.

Did anyone got this issue? how did you resolved it.

Thanks in Advance.

Thanks,

Chandra

1 Accepted Solution

Avatar

Correct answer by
Employee

Regarding the "Netscape Comment" issue, your certificate shouldn't contain any of the netscape related extensions such as this:

  X509v3 extensions:

       Netscape Comment:

           OpenSSL Generated Certificate

To generate the cert without that included you would need to modify the openssl.cnf file:

1. Comment out all lines like this:

nsComment               = "OpenSSL Generated Certificate" 

Just add # before it, e.g.

#nsComment               = "OpenSSL Generated Certificate" 

2. Add this line if it doesn't exist:

extendedKeyUsage=serverAuth 

You can validate the certificate with this command:

openssl -x509 -­text ­noout ­-in certificate.crt 

View solution in original post

3 Replies

Avatar

Level 10

We have LDAP artilce - but it does not use SSL.

Adobe Experience Manager Help | Configuring Adobe Experience Manager 6.4 to use Apache Directory Ser...

Your message seems to indicate that the cert to connect is not valid.

Anyhow - i am following up with the doc team to see what they meant by this. I agree - this is not clear.

Avatar

Level 2

LDAP over HTTP is working us, only on SSL is not working.

Thank you for following up with doc team. Please do let me know if you heard any thing from them.

Thanks,

Chandra

Avatar

Correct answer by
Employee

Regarding the "Netscape Comment" issue, your certificate shouldn't contain any of the netscape related extensions such as this:

  X509v3 extensions:

       Netscape Comment:

           OpenSSL Generated Certificate

To generate the cert without that included you would need to modify the openssl.cnf file:

1. Comment out all lines like this:

nsComment               = "OpenSSL Generated Certificate" 

Just add # before it, e.g.

#nsComment               = "OpenSSL Generated Certificate" 

2. Add this line if it doesn't exist:

extendedKeyUsage=serverAuth 

You can validate the certificate with this command:

openssl -x509 -­text ­noout ­-in certificate.crt