search

OpenIdentityPlatform / OpenAM

OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
https://www.openidentityplatform.org/openam
Other
772 stars 151 forks source link

ssoadm not working when using SSL connection to config store in Java 11 #698

Closed lscorcia closed 9 months ago

lscorcia commented 9 months ago

Describe the bug I am trying to setup ssoadm on a newly built machine that uses Java 11. OpenAM is installed locally and the config store is on the same machine. When running setup I get the following message:

Connect Error: No operational connection factories available

I have enabled extended logging adding -D"com.iplanet.services.debug.level=message" -D"javax.net.debug=all" to the setup script and this is the actual message:

javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.628 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.628 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.628 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.628 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.628 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.629 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:402|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:411|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.630 CET|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.631 CET|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.672 CET|SSLConfiguration.java:460|System property jdk.tls.server.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.678 CET|SSLConfiguration.java:460|System property jdk.tls.client.SignatureSchemes is set to 'null'
javax.net.ssl|ERROR|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.680 CET|TransportContext.java:352|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:170)
        at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
        at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:229)
        at java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:103)
        at org.glassfish.grizzly.ssl.SSLFilter.handshake(SSLFilter.java:192)
        at org.glassfish.grizzly.ssl.SSLFilter.handshake(SSLFilter.java:170)
        at org.glassfish.grizzly.ssl.SSLFilter.handshake(SSLFilter.java:161)
        at org.forgerock.opendj.grizzly.GrizzlyLDAPConnection.startTLS(GrizzlyLDAPConnection.java:835)
        at org.forgerock.opendj.grizzly.GrizzlyLDAPConnection.enableTLS(GrizzlyLDAPConnection.java:808)
        at org.forgerock.opendj.ldap.LDAPConnectionFactory$9.apply(LDAPConnectionFactory.java:615)
        at org.forgerock.opendj.ldap.LDAPConnectionFactory$9.apply(LDAPConnectionFactory.java:611)
        at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485)
        at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
        at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:608)
        at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:266)
        at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:216)
        at org.forgerock.util.promise.Promises$CompletedPromise.thenOnResult(Promises.java:132)
        at org.forgerock.util.promise.PromiseImpl$7.callNestedPromise(PromiseImpl.java:506)
        at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485)
        at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
        at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:608)
        at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:266)
        at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:216)
        at org.forgerock.util.promise.PromiseImpl$5.handleStateChange(PromiseImpl.java:394)
        at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
        at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:608)
        at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:266)
        at org.forgerock.opendj.grizzly.GrizzlyLDAPConnectionFactory$CompletionHandlerAdapter.completed(GrizzlyLDAPConnectionFactory.java:87)
        at org.forgerock.opendj.grizzly.GrizzlyLDAPConnectionFactory$CompletionHandlerAdapter.completed(GrizzlyLDAPConnectionFactory.java:65)
        at org.glassfish.grizzly.nio.transport.TCPNIOConnectorHandler$EnableReadHandler.onComplete(TCPNIOConnectorHandler.java:300)
        at org.glassfish.grizzly.ProcessorExecutor.complete(ProcessorExecutor.java:85)
        at org.glassfish.grizzly.ProcessorExecutor.complete0(ProcessorExecutor.java:172)
        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:60)
        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:510)
        at org.glassfish.grizzly.nio.transport.TCPNIOConnectorHandler.onConnectedAsync(TCPNIOConnectorHandler.java:191)
        at org.glassfish.grizzly.nio.transport.TCPNIOConnectorHandler$1.connected(TCPNIOConnectorHandler.java:132)
        at org.glassfish.grizzly.nio.transport.TCPNIOConnection.onConnect(TCPNIOConnection.java:220)
        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:502)
        at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:82)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:83)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.executeIoEvent(WorkerThreadIOStrategy.java:73)
        at org.glassfish.grizzly.strategies.AbstractIOStrategy.executeIoEvent(AbstractIOStrategy.java:66)
        at org.glassfish.grizzly.nio.SelectorRunner.iterateKeyEvents(SelectorRunner.java:381)
        at org.glassfish.grizzly.nio.SelectorRunner.iterateKeys(SelectorRunner.java:353)
        at org.glassfish.grizzly.nio.SelectorRunner.doSelect(SelectorRunner.java:319)
        at org.glassfish.grizzly.nio.SelectorRunner.run(SelectorRunner.java:248)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:535)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:515)
        at java.base/java.lang.Thread.run(Thread.java:829)}

)
javax.net.ssl|ALL|10|OpenDJ LDAP SDK Grizzly selector thread(2) SelectorRunner|2024-01-09 20:06:54.680 CET|SSLSessionImpl.java:788|Invalidated session:  Session(1704827214672|SSL_NULL_WITH_NULL_NULL)
Connect Error: No operational connection factories available

To Reproduce Steps to reproduce the behavior:

  1. Set JAVA_HOME to a Java11 install
  2. Setup OpenAM via SSL connection to the config store
  3. Try to initialize ssoadm using its setup script
  4. See error

Expected behavior ssoadm should be able to connect to the configuration store.

Additional context I think we may have stumbled on this issue: https://backstage.forgerock.com/knowledge/kb/article/a39099709 According to the report, Java8 v192+ is affected too.

lscorcia commented 9 months ago

I have been able to workaround this issue by adding the following to the setup script:

-D"org.forgerock.openam.ldap.secure.protocol.version=TLSv1.2" -D"jdk.tls.client.protocols=TLSv1.2,TLSv1.3"

vharseko commented 9 months ago

Please check https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/14.8.3