AEM LDAP over SSL InvalidConnectionException: SSL handshake failed | Community
Skip to main content
nchandra
nchandra
New Participant
June 6, 2018
Solved

AEM LDAP over SSL InvalidConnectionException: SSL handshake failed

  • June 6, 2018
  • 3 replies
  • 2525 views

We are setting up LDAP over SSL in the AEM 6.3 environment , imported all the required certs in the Java VM cacerts.  we are getting below exception

  06.06.2018 11:20:22.524 *ERROR* [qtp1318568182-277189] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider Error while connecting to the ldap server.

  • org.apache.directory.ldap.client.api.exception.InvalidConnectionException: SSL handshake failed.

at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4190)

at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1314)

As per the Adobe documentation  https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/ldap-config.html , they said it is a known issue see below . What is Netscape comments?

Known issues

If you plan on using LDAP over SSL, make sure the certificates you are using are created without the Netscape comment option. If this option is enabled, authentication will fail with a SSL Handshake error.

Did anyone got this issue? how did you resolved it.

Thanks in Advance.

Thanks,

Chandra

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by akhoury

Regarding the "Netscape Comment" issue, your certificate shouldn't contain any of the netscape related extensions such as this:

  X509v3 extensions:

       Netscape Comment:

           OpenSSL Generated Certificate

To generate the cert without that included you would need to modify the openssl.cnf file:

1. Comment out all lines like this:

nsComment               = "OpenSSL Generated Certificate"

Just add # before it, e.g.

#nsComment               = "OpenSSL Generated Certificate"

2. Add this line if it doesn't exist:

extendedKeyUsage=serverAuth

You can validate the certificate with this command:

openssl -x509 -­text ­noout ­-in certificate.crt

3 replies

akhoury
akhouryAccepted solution
Employee
June 6, 2018

Regarding the "Netscape Comment" issue, your certificate shouldn't contain any of the netscape related extensions such as this:

  X509v3 extensions:

       Netscape Comment:

           OpenSSL Generated Certificate

To generate the cert without that included you would need to modify the openssl.cnf file:

1. Comment out all lines like this:

nsComment               = "OpenSSL Generated Certificate"

Just add # before it, e.g.

#nsComment               = "OpenSSL Generated Certificate"

2. Add this line if it doesn't exist:

extendedKeyUsage=serverAuth

You can validate the certificate with this command:

openssl -x509 -­text ­noout ­-in certificate.crt

nchandra
nchandraAuthor
New Participant
June 6, 2018

LDAP over HTTP is working us, only on SSL is not working.

Thank you for following up with doc team. Please do let me know if you heard any thing from them.

Thanks,

Chandra

smacdonald2008
smacdonald2008
New Participant
June 6, 2018

We have LDAP artilce - but it does not use SSL.

Adobe Experience Manager Help | Configuring Adobe Experience Manager 6.4 to use Apache Directory Service

Your message seems to indicate that the cert to connect is not valid.

Anyhow - i am following up with the doc team to see what they meant by this. I agree - this is not clear.

Terms & ConditionsAccessibility statement

Loading footer...