Recently we updated all our datajar.mobi instances to Jamf 10.7.1, for Mojave support.
All went well. Except for a couple of instances where their Jamf Infrastructure Manager was being used as an LDAP Proxy.
Well, turns out this was a change to Java 8 Update 181, which we updated to at the same time. And, that this is an issue not just with Jamf Infrastructure Manager, but could be with LDAPS in general.
Below details these changes, & overcoming this issue.
The errors
With the update to Java 8 Update 181, we started to seeing entries like the following in the Jamf Infrastructure Manager logs:
2018-10-03 14:54:32,364 INFO c.j.j.l.LpsTransferThread [JSS->LDAP for [/185.119.173.84:60020](25)] Closing connection because of SSL problem: Received fatal alert: certificate_unknown.
And, the occasional stack trace:
2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [JSS->LDAP for [/185.119.173.84:40084](719)] Transfer thread started 2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [LDAP->JSS for [/185.119.173.84:40084](719)] Transfer thread started 2018-10-03 11:22:28,266 ERROR c.j.j.l.LpsTransferThread [JSS->LDAP for [/185.119.173.84:40084](719)] Error occurred transferring bytes com.jamfsoftware.jsam.lps.LpsException: Exception occurred when reading from JSS at com.jamfsoftware.jsam.lps.LpsTransferThread.readBytes(LpsTransferThread.java:133) at com.jamfsoftware.jsam.lps.LpsTransferThread.transferBytes(LpsTransferThread.java:85) at com.jamfsoftware.jsam.lps.LpsTransferThread.run(LpsTransferThread.java:60) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source) at sun.security.ssl.AppInputStream.read(Unknown Source) at java.io.InputStream.read(Unknown Source) at com.jamfsoftware.jsam.lps.LpsTransferThread.readBytes(LpsTransferThread.java:117) ... 2 more 2018-10-03 11:22:28,266 INFO c.j.j.l.LpsProxyConnection [JSS->LDAP for [/185.119.173.84:40084](719)] Closing JSS socket 2018-10-03 11:22:28,266 INFO c.j.j.l.LpsProxyConnection [JSS->LDAP for [/185.119.173.84:40084](719)] Closing LDAP socket 2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [JSS->LDAP for [/185.119.173.84:40084](719)] Transfer thread stopped 2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [LDAP->JSS for [/185.119.173.84:40084](719)] Input Socket (LDAP), end-of-stream 2018-10-03 11:22:28,266 INFO c.j.j.l.LpsTransferThread [LDAP->JSS for [/185.119.173.84:40084](719)] Transfer thread stopped
What changed?
If you have a nose that the Java 8 Update 181 release changes, you’ll see the below change:
Change: Improve LDAP support Endpoint identification has been enabled on LDAPS connections.To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default. Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property:
com.sun.jndi.ldap.object.disableEndpointIdentification.
Define this system property (or set it totrue
) to disable endpoint identification algorithms. JDK-8200666 (not public)
So the LDAPS connectivity has been hardened, which can cause some LDAPS connections to fail.
We’ve not seen issues with the above with either direct LDAPS (on-prem or Azure AD etc) or JumpCloud, just where a Jamf Infrastructure Manager was being used as an LDAP Proxy.
YMMV, however, as this could affect over LDAPS connections.
The fix
Why, downgrade to Java 8u171 of course!!
ಠ_ಠ
Ok, ok, the real fix is pretty much listed above, we appended the following to datajar.mobi instances JAVA_OPTS:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
The JAVA_OPTS, will differ here your installation. Best check your build documentation or with Jamf Support on this.
The PI
Jamf do have a PI on this: PI-006168.
So if the above doesn’t work. reach out to Jamf Support & mention PI-006168. They will be sure to assist further.