Issue with openJDK 11 and custom CA for LDAP

troubleshooting
ldap
#1

I followed the steps in Upgrading Horizon 23 to 24 on CentOS 7 and switch to OpenJDK 11 to make sure OpenNMS is using OpenJDK 11, and I am able to login with local accounts just fine. If I try to login with an LDAP account, I get the following:

Your log-in attempt failed, please try again. Reason: domain.controller:636; nested exception is javax.naming.CommunicationException: domain.controller:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]

This works just fine when using Oracle JDK 8, and I made sure our internal CA certificate exists within all the usualy repository locations on the server.

#2

It looks like the isn’t isn’t that it doesn’t see the CA, but that the JDK doesn’t support the algorithm the server is expecting to use.

This makes me wonder if your build of OpenJDK doesn’t have some of the “JCE” stuff enabled, or if maybe there’s an additional package you need to install for it?

#3

Or, alternatively, the JDK has intentionally disabled some known-weak crypto stuff (such as SSL v3, TLS v1.0, etc), but the server only supports one of those older standards, so they can’t talk to each other?

#4

I’m pretty sure that’s it. I had started upgrading my CA from sha1 to sha2, but evidently didn’t complete the process. :man_facepalming: