Knowledge Partner
Knowledge Partner
933 views

Designer 4.7.2 with Azul Zulu JDK cannot read saved password

So I copied my working Designer 4.7.1.1 install folder and installed 4.7.2 over it (on Windows Server 2012 R2) in the hope my Designer tweaks (config.ini, Designer.ini) would be kept in 4.7.2 (not the case, the installer basically wiped the folder and installed from scratch).

Started up 4.7.2, opened the same workspace I used with 4.7.1.1 and tried to connect to an IDV with saved credentials in the project and all I get is an authentication error: failed credentials or non-existing DN...

Closed 4.7.2, started 4.7.1.1 (ALWAYS keep the previous version when updating Designer!) with the same workspace and authentication works just fine again.

Renamed the "jre" subfolder in the 4.7.2 install to "jre.azul" and copied "jre" from 4.7.1.1 over (containing an Oracle Server JRE 8u162). Started 4.7.2 - et voilá - authentication with saved credentials works again.

Anyone else to confirm this?
______________________________________________
https://www.is4it.de/identity-access-management
Labels (1)
0 Likes
14 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

First, I haven't tried duplicating, but I'm curious what you see on the
eDirectory side, presumably in the LDAP or AUTH traces. Do you see a
connection attempt, a bind attempt, etc.? I presume so, so it would be
interesting to know what is being sent across the wire (a part of the
password, a jumbled password, no password).


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

ab wrote:

> First, I haven't tried duplicating, but I'm curious what you see on the
> eDirectory side, presumably in the LDAP or AUTH traces.


Seems to be a certificate issue, actually:

18:03:11 17C0 LDAP: New TLS connection 0x8412600 from 10.160.168.121:56027,
monitor = 0x1234, index = 3
18:03:11 1234 LDAP: Monitor 0x1234 initiating TLS handshake on connection
0x8412600
18:03:11 24D8 LDAP: DoTLSHandshake on connection 0x8412600
18:03:11 24D8 LDAP: TLS accept failure 5 on connection 0x8412600, setting err =
-5875. Error stack:
18:03:11 24D8 LDAP: TLS handshake failed on connection 0x8412600, err = -5875
18:03:11 24D8 LDAP: Server closing connection 0x8412600, socket error = -5875
18:03:11 24D8 LDAP: Connection 0x8412600 closed
18:03:11 17C0 LDAP: New TLS connection 0x8412600 from 10.160.168.121:56028,
monitor = 0x1234, index = 3
18:03:11 1234 LDAP: Monitor 0x1234 initiating TLS handshake on connection
0x8412600
18:03:11 22EC LDAP: DoTLSHandshake on connection 0x8412600
18:03:11 22EC LDAP: BIO ctrl called with unknown cmd 7
18:03:11 22EC LDAP: Completed TLS handshake on connection 0x8412600
18:03:11 1234 LDAP: Monitor 0x1234 found connection 0x8412600 ending TLS session
18:03:11 2158 LDAP: DoTLSShutdown on connection 0x8412600
18:03:11 2158 LDAP: Server closing connection 0x8412600, socket error = -5871
18:03:11 2158 LDAP: Connection 0x8412600 closed
18:03:11 17C0 LDAP: New TLS connection 0x8412600 from 10.160.168.121:56029,
monitor = 0x1234, index = 3
18:03:11 1234 LDAP: Monitor 0x1234 initiating TLS handshake on connection
0x8412600
18:03:11 3360 LDAP: DoTLSHandshake on connection 0x8412600
18:03:11 3360 LDAP: TLS accept failure 1 on connection 0x8412600, setting err =
-5875. Error stack:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
- SSL alert number 46
18:03:11 3360 LDAP: TLS handshake failed on connection 0x8412600, err = -5875
18:03:11 3360 LDAP: BIO ctrl called with unknown cmd 7
18:03:11 3360 LDAP: Server closing connection 0x8412600, socket error = -5875
18:03:11 3360 LDAP: Connection 0x8412600 closed

I do not get prompted to verify/accept/import the tree cert when I hit "Test
Connection" in IDV properties with the Azul JRE, while the Oracle JRE I copied
from the 4.7.1.1 install obviously has it imported already. So after all it
might rather be Designer than the JRE who's to blame. Tried the same with the
macOS version against my dev tree and I did get prompted for the cert...
strange.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

Lothar Haeger wrote:

> Seems to be a certificate issue, actually:


Just for the record, the error message i get is:

"Authentication failed:
The system can't authenticate you to the tree. Make sure the username, context,
and password
are correct, and then retry the operation. If it still doesn't work, contact
your network
administrator."

Very helpful.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

Lothar Haeger wrote:

> Tried the same with the macOS version against my dev tree and
> I did get prompted for the cert... strange.


One difference between my dev tree and the customer tree where I see the issue
is, that I use a standard edir ldap server cert, signed by the edir CA in dev,
while the customer tree where login fails uses a custom CA where the ldap
server cert is signed by a sub-CA. The sub-CA has been imported in to
designer/configuration/LDAPServerCerts automatically but not the customer root
CA (doing that manually does not help btw.). Copying over the 4.7.1.1
LDAPServerCerts file to the 4.7.2 install does not help. Same if I copy over
jre/lib/security which includes the JRE cacerts and the JRE's security policy.

Even funnier: when I delete the LDAPServerCerts file, restart Designer with
Azul JRE, hit "Test Connection" I get prompted if I want to trust the cert.
Select "permanently", hit OK and I get the auth failure. Hit "Test Connection"
another time, again auth failure.

Repeat the same with the Oracle JRE and I get an authentication failure after
accepting the cert, too - but only once. When I hit "Test Connection" again,
authentication finally (and subsequently) succeeds.

So I'm back to blame the JRE somehow...
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

On 01/17/2019 10:09 AM, Lothar Haeger wrote:
>
> Seems to be a certificate issue, actually:


Yes, I agree; I would guess the new JRE isn't trusting the server, and
maybe cannot be updated due to something different about it vs. the other
install (permissions on files would be my first guess).

> 18:03:11 3360 LDAP: DoTLSHandshake on connection 0x8412600
> 18:03:11 3360 LDAP: TLS accept failure 1 on connection 0x8412600,

setting err =
> -5875. Error stack:
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate

unknown
> - SSL alert number 46


I would probably try to find the 'cacerts' file for this new JRE and
manually import the eDirectory CA trusted root certificate into that to
see if it helps (after restarting Designer).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

On 1/17/2019 12:09 PM, Lothar Haeger wrote:
> ab wrote:
>
>> First, I haven't tried duplicating, but I'm curious what you see on the
>> eDirectory side, presumably in the LDAP or AUTH traces.

>
> Seems to be a certificate issue, actually:
>
> 18:03:11 3360 LDAP: TLS accept failure 1 on connection 0x8412600, setting err =
> -5875. Error stack:
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
> - SSL alert number 46


JVM 1.8 181 and later versions now requires that the DNS you connect
match the name in the cert Subject Name. Yay! There is a Java option
to turn that off.

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

Geoffrey Carman wrote:

> JVM 1.8 181 and later versions now requires that the DNS you connect match
> the name in the cert Subject Name.


The Oracle JRE is indeed 8u162 while Azul is 8u192. Nevertheless, I connect via
the dns name and the cert is properly issued, the DNS name is set as SAN and
the cert's CN (which is not the DNS name) is repeated as SAN.

For the fun of it I swapped in Oracle's latest server jre 8u202 and tried
again. Designer prompts to copy some additional libs to the jre/libs folder as
expected and restarts. The I get the same error as with Azul.

Finally I added -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
to Designer.ini and now authentication succeeds with all three JREs.

Geoffrey, you da man!

Only I do not see where the LDAP cert violates RFC 5280 yet:


Subject: CN=dev-idmedir-1.customer.com, O=Customer Group, C=DE

SubjectAlternativeName [
DNSName: dev-idmedir-1.customer.com
DNSName: WS000440.customer.com
]

______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

Lothar Haeger wrote:

> Only I do not see where the LDAP cert violates RFC 5280 yet:
>
>

> Subject: CN=dev-idmedir-1.customer.com, O=Customer Group, C=DE
>
> SubjectAlternativeName [
> DNSName: dev-idmedir-1.customer.com
> DNSName: WS000440.customer.com
> ]
>


...and to add to the confusion: when I run Apache Studio with Oracle's 8u202 jre
and connect via JNDI to ws000440.customer.com:636 it works just fine without
the need to set -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true.

And when I use only ws000440:636 instead, I get a meaningful error message that
confirms endpoint verification is actually active and reads:

Error while opening connection
- simple bind failed: ws000440:636
javax.naming.CommunicationException: simple bind failed: ws000440:636 [Root
exception is javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No subject
alternative DNS name matching ws000440 found.]

Anyone to explain that?
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

On 1/17/2019 1:59 PM, Lothar Haeger wrote:
> Geoffrey Carman wrote:
>
>> JVM 1.8 181 and later versions now requires that the DNS you connect match
>> the name in the cert Subject Name.

>
> The Oracle JRE is indeed 8u162 while Azul is 8u192. Nevertheless, I connect via
> the dns name and the cert is properly issued, the DNS name is set as SAN and
> the cert's CN (which is not the DNS name) is repeated as SAN.
>
> For the fun of it I swapped in Oracle's latest server jre 8u202 and tried
> again. Designer prompts to copy some additional libs to the jre/libs folder as
> expected and restarts. The I get the same error as with Azul.
>
> Finally I added -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
> to Designer.ini and now authentication succeeds with all three JREs.
>
> Geoffrey, you da man!


Sorry, I stole that info from Steve Williams, since OSP suffers this
issue now as it uses the newer JVM's as will the Identity Apps I assume.


> Only I do not see where the LDAP cert violates RFC 5280 yet:
>
>

> Subject: CN=dev-idmedir-1.customer.com, O=Customer Group, C=DE
>
> SubjectAlternativeName [
> DNSName: dev-idmedir-1.customer.com
> DNSName: WS000440.customer.com
> ]
>

>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
> On 1/17/2019 1:59 PM, Lothar Haeger wrote:
>
> Sorry, I stole that info from Steve Williams, since OSP suffers this
> issue now as it uses the newer JVM's as will the Identity Apps I assume.
>
>


Yeah that kicked in with IDApps 4.7.1.1 , caused pain with an upgrade.
Ended up going back to 4.7.1 for interim to avoid extra risks.


Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

On 2019-01-17 19:59, Lothar Haeger wrote:
>

> Subject: CN=dev-idmedir-1.customer.com, O=Customer Group, C=DE
>
> SubjectAlternativeName [
> DNSName: dev-idmedir-1.customer.com
> DNSName: WS000440.customer.com
> ]
>


While case should be significant in domain names, have you tried
connecting to WS000440.customer.com (capital WS) or the alternative
DNSName?

--
Norbert
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

> On 2019-01-17 19:59, Lothar Haeger wrote:
>>

>> Subject: CN=dev-idmedir-1.customer.com, O=Customer Group, C=DE
>>
>> SubjectAlternativeName [
>>    DNSName: dev-idmedir-1.customer.com
>>    DNSName: WS000440.customer.com
>> ]
>>

>


While case should *not* be significant in domain names, have you tried
connecting to WS000440.customer.com (capital WS) or the alternative
DNSName?

--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

Norbert Klasen wrote:

> While case should not be significant in domain names


Thanks for the correction, now I do agree.

https://tools.ietf.org/html/rfc4343 makes an interesting read on what seems to
be a trivial problem on first glance, btw.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Designer 4.7.2 with Azul Zulu JDK cannot read saved password

Norbert Klasen wrote:

> While case should be significant in domain names, have you tried connecting
> to WS000440.customer.com (capital WS) or the alternative DNSName?


Case does not make a difference, both "WS" and "ws" fail equally in Designer.
And both equally work in Apache Studio with that same 8u202 jre....
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.