Dsconfig unable to connect on port 4444

Tagged: 

This topic has 4 replies, 2 voices, and was last updated 5 years, 10 months ago by Ludo.

  • Author
    Posts
  • #13537
     Lalitha
    Participant

    Hi!

    I am trying to configure OpenDJ as an external identity store to be used by OpenAM. The installation is smooth and I am able to start OpenDj, but the dsconfig returns the error:
    Unable to connect to the server at opendj.myexample.com on port 4444.

    Versions of OpenDJ I’ve tried are 2.6 and 3.0 and I have the same issue on both of them.
    I can telnet opendj.myexample.com 4444 and it connects fine. During access on port 4444 , the access logs on OpenDJ have this:
    DISCONNECT conn=0 reason=client disconnect msg=connection reset by client

    I am running this on RHEL7 on Oracle VirtualBox.

    Can you please help?

    #13538
     Ludo
    Moderator

    The administration port 4444 is a secure port. Such error messages are usually the result of TLS, ciphers or certificate trust issues.

    Which version of Java are you using ? There are some known SSL/TLS issues with some versions of Java 7 on RHEL.

    Otherwise you can try to enable SSL debugging to get a more specific error message (https://ludopoitou.com/2011/06/29/opendj-troubleshooting-ldap-ssl-connections/)

    #13540
     Lalitha
    Participant

    I am using Java 1.7.0_99 and you were right about SSL issues related to Java version. I enabled ssl ebug and found thee errors. Which version of Java would be best suited for opendj ?

    Errors for reference : when i do a dsconfig
    Using SSLEngineImpl.
    Allow unsafe renegotiation: false
    Allow legacy hello messages: true
    Is initial handshake: true
    Is secure renegotiation: false
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
    [Raw read]: length = 5
    0000: 16 03 01 00 88 …..
    [Raw read]: length = 136
    0000: 01 00 00 84 03 01 57 F7 67 62 5F 11 5B 4C 92 4F ……W.gb_.[L.O
    0010: E2 B8 63 85 8F D7 A8 C2 C9 53 B2 B6 48 0D 12 B3 ..c……S..H…
    0020: 69 DF 4B 97 74 8D 00 00 2C C0 0A C0 14 00 35 C0 i.K.t…,…..5.
    0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ….9.8…../…
    0040: 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 0D 00 ..3.2………..
    0050: 16 00 13 00 FF 01 00 00 2F 00 0A 00 08 00 06 00 ……../…….
    0060: 17 00 18 00 19 00 0B 00 02 01 00 00 00 00 19 00 …………….
    0070: 17 00 00 14 6F 70 65 6E 64 6A 2E 6D 79 65 78 61 ….opendj.myexa
    0080: 6D 70 6C 65 2E 63 6F 6D mple.com
    LDAP Request Handler 0 for connection handler Administration Connector 0.0.0.0 port 4444, READ: TLSv1 Handshake, length = 136
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1459054434 bytes = { 95, 17, 91, 76, 146, 79, 226, 184, 99, 133, 143, 215, 168, 194, 201, 83, 178, 182, 72, 13, 18, 179, 105, 223, 75, 151, 116, 141 }
    Session ID: {}
    Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
    Compression Methods: { 0 }
    Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
    Extension ec_point_formats, formats: [uncompressed]
    Extension server_name, server_name: [host_name: opendj.myexample.com]
    ***
    [read] MD5 and SHA1 hashes: len = 136
    0000: 01 00 00 84 03 01 57 F7 67 62 5F 11 5B 4C 92 4F ……W.gb_.[L.O
    0010: E2 B8 63 85 8F D7 A8 C2 C9 53 B2 B6 48 0D 12 B3 ..c……S..H…
    0020: 69 DF 4B 97 74 8D 00 00 2C C0 0A C0 14 00 35 C0 i.K.t…,…..5.
    0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ….9.8…../…
    0040: 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 0D 00 ..3.2………..
    0050: 16 00 13 00 FF 01 00 00 2F 00 0A 00 08 00 06 00 ……../…….
    0060: 17 00 18 00 19 00 0B 00 02 01 00 00 00 00 19 00 …………….
    0070: 17 00 00 14 6F 70 65 6E 64 6A 2E 6D 79 65 78 61 ….opendj.myexa
    0080: 6D 70 6C 65 2E 63 6F 6D mple.com
    %% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
    matching alias: admin-cert
    LDAP Request Handler 0 for connection handler Administration Connector 0.0.0.0 port 4444, fatal error: 80: problem unwrapping net record
    java.lang.RuntimeException: java.security.KeyException
    %% Invalidated: [Session-4, SSL_NULL_WITH_NULL_NULL]
    LDAP Request Handler 0 for connection handler Administration Connector 0.0.0.0 port 4444, SEND TLSv1 ALERT: fatal, description = internal_error
    LDAP Request Handler 0 for connection handler Administration Connector 0.0.0.0 port 4444, WRITE: TLSv1 Alert, length = 2
    [Raw write]: length = 7
    0000: 15 03 01 00 02 02 50 ……P
    LDAP Connection Finalizer for connection handler Administration Connector 0.0.0.0 port 4444 0, called closeInbound()
    LDAP Connection Finalizer for connection handler Administration Connector 0.0.0.0 port 4444 0, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer’s close_notify: possible truncation attack?

    #13546
     Lalitha
    Participant

    Installed Java 6 and changed the JAVA_HOME on java.properties to point to it. This fixed the issue for me.
    Thanks for the help and clues

    #13597
     Ludo
    Moderator

    Hi Lalitha,

    Beware that OpenDJ 3.0 no longer supports Java 6. It supports Java 7 and 8.
    I would recommend moving to Java 8, rather than using an old version known to have security vulnerabilities.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?