Unable to Connect to LDAPS After Updating to GlassFish Enterprise Server 2.1.1 (Doc ID 1178458.1)

Last updated on JULY 12, 2017

Applies to:

Oracle GlassFish Server - Version 2.1 and later
Information in this document applies to any platform.

Symptoms

In a Glassfish Enterprise Server 2.1 using an Enterprise profile, which uses NSS based security, connecting using LDAPS to a SSL-secured Oracle Directory Server 11g (ODS) worked. 

However, trying the same with Glassfish Enterprise Server 2.1.1, either by patching a working 2.1 installation or performing a fresh install, fails as the instance is unable to connect to the ODS backend, and throws the following error: 

Connection to LDAPS/SSL fails with java.lang.RuntimeException: Could not parse key values


This problem can be encountered when GlassFish Enterprise Server 2.1.1 is used with products like OpenSSO or Identity Manager which make use of a secure SSL-enabled Directory Server backend.

To investigate the problem, set the Java system property "-Djavax.net.debug=ssl,handshake", and repeating the steps to trigger the SSL connection attempt, the following is seen in the instance's log file:

*** ClientHello, TLSv1
RandomCookie: GMT: 1282136179 bytes = { 26, 235, 139, 155, 150, 76, 250, 82, 99, 185, 13, 57, 179, 121, 23, 44, 28, 62, 16, 191, 23, 140, 85, 94, 34, 44, 150, 107 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
...
...
*** ServerHello, TLSv1
RandomCookie: GMT: 1282136179 bytes = { 20, 136, 126, 136, 44, 240, 8, 143, 98, 188, 238, 231, 166, 36, 35, 24, 55, 36, 200, 171, 119, 151, 187, 135, 92, 131, 246, 13 }
Session ID: {17, 54, 4, 172, 181, 143, 150, 157, 155, 232, 50, 131, 61, 48, 213, 53, 141, 243, 249, 133, 209, 42, 58, 109, 160, 229, 183, 18, 67, 136, 112, 165}
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Compression Method: 0
***
%% Created: [Session-1, TLS_ECDHE_RSA_WITH_RC4_128_SHA]
** TLS_ECDHE_RSA_WITH_RC4_128_SHA
....
...

*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
***
ConnSetupMgr, handling exception: java.lang.RuntimeException: Could not parse key values
ConnSetupMgr, SEND TLSv1 ALERT: fatal, description = internal_error
ConnSetupMgr, WRITE: TLSv1 Alert, length = 2

 

In the setup being used above, the SSL Server (Directory Server) certificate chain has already been added into the JDK trust store, normally cacerts.jks, and also into the NSS trust store.

Changes

This problem can be seen when:

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms