Cascade CMS v8.11 comes bundled with a newer version of Java (JRE 8u191). This newer version of the JRE enables endpoint identification algorithms for LDAPS servers for added security. The change was included in JRE 8u181+ and more information on it can be found in the Oracle/Java Release Notes. Due to this, you may have problems syncing with your LDAPS server. 

A common error as a result of this change may look like this:

ERROR [LdapServiceImpl] {User: system, id: not specified, type: not specified} During LDAP user import, encountered an error and could not bind to the LDAP server:
javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xxx.xxx.xxx found]

To work around this , you can disable endpoint identification algorithms by adding the following parameter to your startup script. For example:

Linux/macOS

  • Edit cascade.sh  
  • In the JAVA_OPTS  line, add -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true 
  • Save

Windows 

  • Right-click the file tomcat/bin/CascadeCMSw.exe  and select the Run as Administrator option   
  • Click the Java tab 
  • In the Java Options section,  add the line -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true 
  • Click Apply/OK

  

Did this answer your question?