Australian Access Federation Support Desk

Java Version 1.7.0_85 and AAF Metadata loading errors

by Dalia Abraham Follow

The recent Java V.1.7.0_85 release has resulted in changes that affect Identity Providers ability to download the AAF Metadata and Attribute filter over HTTPS. After upgrading your Java to V1.7.0_85 you may see errors in your idp-process.log file similar to the one shown below. If this is the case your IdP is no longer loading AAF Metadata or its Attribute filters and will require a minor modification to the Java options at start up.

Error Message

https://ds.test.aaf.edu.au/distribution/metadata/metadata.aaf.signed.complete.xml
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: 202.158.212.129

 Resolution

The solution is to modify the behaviour of the SSL verification your IdP performs when loading files. The behaviour changed as a result of the Java upgrade and needs to be changed back. This can be done in the Tomcat config file (catalina.sh), to set up the Java option in the Tomcat start up file, set this to:

     JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.trustNameService=true”

 

 Once this is done, restart your IdP and the issue will then be resolved for both the Metadata and Attribute filter loading.

 

For a full summary of this issue can be found at: http://shibboleth.1660669.n2.nabble.com/Shib-IdP-Metadata-Download-and-Java-1-7-0-85-td7617478.html

 

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk