Java 8 Update 181 LDAP Changes & Jamf Pro Connectivity

Standard

Recently we updated all our datajar.mobi instances to Jamf 10.7.1, for Mojave support.

All went well. Except for a couple of instances where their Jamf Infrastructure Manager was being used as an LDAP Proxy.

Well, turns out this was a change to Java 8 Update 181, which we updated to at the same time. And, that this is an issue not just with Jamf Infrastructure Manager, but could be with LDAPS in general.

Below details these changes, & overcoming this issue.

The errors

With the update to Java 8 Update 181, we started to seeing entries like the following in the Jamf Infrastructure Manager logs:

2018-10-03 14:54:32,364 INFO c.j.j.l.LpsTransferThread [JSS->LDAP for [/185.119.173.84:60020](25)] Closing connection because of SSL problem: Received fatal alert: certificate_unknown.

And, the occasional stack trace:

2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [JSS->LDAP for [/185.119.173.84:40084](719)] Transfer thread started
2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [LDAP->JSS for [/185.119.173.84:40084](719)] Transfer thread started
2018-10-03 11:22:28,266 ERROR c.j.j.l.LpsTransferThread [JSS->LDAP for [/185.119.173.84:40084](719)] Error occurred transferring bytes
com.jamfsoftware.jsam.lps.LpsException: Exception occurred when reading from JSS
at com.jamfsoftware.jsam.lps.LpsTransferThread.readBytes(LpsTransferThread.java:133)
at com.jamfsoftware.jsam.lps.LpsTransferThread.transferBytes(LpsTransferThread.java:85)
at com.jamfsoftware.jsam.lps.LpsTransferThread.run(LpsTransferThread.java:60)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at java.io.InputStream.read(Unknown Source)
at com.jamfsoftware.jsam.lps.LpsTransferThread.readBytes(LpsTransferThread.java:117)
... 2 more
2018-10-03 11:22:28,266 INFO c.j.j.l.LpsProxyConnection [JSS->LDAP for [/185.119.173.84:40084](719)] Closing JSS socket
2018-10-03 11:22:28,266 INFO c.j.j.l.LpsProxyConnection [JSS->LDAP for [/185.119.173.84:40084](719)] Closing LDAP socket
2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [JSS->LDAP for [/185.119.173.84:40084](719)] Transfer thread stopped
2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [LDAP->JSS for [/185.119.173.84:40084](719)] Input Socket (LDAP), end-of-stream
2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [LDAP->JSS for [/185.119.173.84:40084](719)] Transfer thread stopped

What changed?

If you have a nose that the Java 8 Update 181 release changes, you’ll see the below change:

Change: Improve LDAP support Endpoint identification has been enabled on LDAPS connections.To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default. Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification. Define this system property (or set it to true) to disable endpoint identification algorithms. JDK-8200666 (not public)

So the LDAPS connectivity has been hardened, which can cause some LDAPS connections to fail.

We’ve not seen issues with the above with either direct LDAPS (on-prem or Azure AD etc) or JumpCloud, just where a Jamf Infrastructure Manager was being used as an LDAP Proxy.

YMMV, however, as this could affect over LDAPS connections.

The fix

Why, downgrade to Java 8u171 of course!!

ಠ_ಠ

Ok, ok, the real fix is pretty much listed above, we appended the following to datajar.mobi instances JAVA_OPTS:

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

The JAVA_OPTS, will differ here your installation. Best check your build documentation or with Jamf Support on this.

The PI

Jamf do have a PI on this: PI-006168.

So if the above doesn’t work. reach out to Jamf Support & mention PI-006168. They will be sure to assist further.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.