LDAP SSL and Secure

I am unable to get SSL or Secure LDAP connection to work.
These are my settings for Directory-service:
name: TEST
description: TEST
login-prefix: TEST
type: GenericLdap
last-sync: (no value)
last-sync-error: The server is not operational.
users: (no value)
groups: (no value)
Connection settings
host: ldap.xon-ionx.****.se
port: 636
top-directory: ou=USER_CONTAINER,o=ROOT
binding-type: Secure
synchronization-account: cn=ZAV_User,ou=external,o=ROOT
password: ********
Schema settings
user-filter: (objectClass=inetOrgPerson)
user-class: inetOrgPerson
user-login-name: cn
user-first-name:
user-last-name:
user-full-name: cn
group-filter: (objectClass=groupOfNames)
group-class: groupOfNames
group-name: cn
group-description: description
group-members: member
Message from server is not saying much: Not synchronized (error: The server is not operational.)
Debug log output as follows:
05-07-2013 08:47:09.9960 - Critical - 0x0C5C: Directory service TEST could not be completely synced. Connection settings: host ldap.xon-ionx.****.se, port 636, top ou=USER_CONTAINER,o=ROOT, user cn=ZAV_User,ou=external,o=ROOT, type Secure, ufilter (objectClass=inetOrgPerson), uclass inetOrgPerson, uuname cn, ufname , ulname , uflname cn, gfilter (objectClass=groupOfNames), gclass groupOfNames, gdescription description, gmembership member
The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
at System.DirectoryServices.DirectorySearcher.FindAll (Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll ()
at Spoon.Server.Common.Data.Library.DirectoryService. _SyncNode(LibraryDataContext dc, DirectoryServiceNode dsn, Dictionary`2 dictUsers, Dictionary`2 dictGroups, Dictionary`2 dictUsersToInclude, Dictionary`2 dictGroupsToInclude, Int32& iUsersAdded, Int32& iGroupsAdded)
at Spoon.Server.Common.Data.Library.DirectoryService. Sync()
/Mathias

Do other binding options function as expected (Simple, Anonymous)? I'm also working on setting up a test environment to try and reproduce this. If I find something that can help, I'll update the thread.
The support team could open a proper ticket with Spoon about this, but it requires that you open an SR first.

Similar Messages

  • EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

    Hello everyone,
    Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
    Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
    I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
    Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
    However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
    This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
    Here's what happens:
    1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
    2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
    3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
    4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
    5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
    Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
    http://discussions.apple.com/thread.jspa?messageID=5967023
    http://discussions.apple.com/message.jspa?messageID=5982070
    these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
    If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
    Thanks,
    Andrew

    Hard to tell what is happening without looking at the application
    source, knowing what OS & hardware you're using etc. You might want to
    try running with different JVM versions to see if it's actually the VM
    that is the problem. If you have a support contract with BEA you could
    ask support to help you diagnose this.
    Regards,
    /Helena
    Ayub Khan wrote:
    I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
    application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
    seems to happen on loading the machine..the performance progressively gets worse
    and after a couple of seconds, all the threads stop responding. I checked the
    heap, cpu and the idle threads in the execute queue and there is nothing there
    to trigger alarms...there are quite a few idle threads still and the heap and
    the cpu utilization seem OK. On doing a thread dump, Is see that all the other
    threads seem to be in a state where they are waiting for data from LDAP and it
    is basically read only data that they are waiting on.
    Does anyone know what it is going on and help point me in the right direction.
    -Ayub

  • Oracle.ldap.util and secure connections

    Greetings,
    I am connecting to our corporate LDAP (Sun One) server to retrieve Users so as to produce lists of names, etc. In development, the connection was not secure, however in production it is. I need some advice on what the method to use would be for handling the secure connection.
    It looks like I am unable to get the RootOracleContext object from which to getSubscriber(). Please help!
    And happy holidays!
    Thanks, Ginni

    Bump

  • SSL and Secure Cookies

    I am running WebCache 10.1.2 and an origin server of OAS 10.1.3. I have configured SSL communication for both WebCache and OAS. I have cookies that are defined in OAS to be secure.
    If I hit the system through OAS directly, I can see that the connection flags for the cookies are set to Secure Connection only. But when I access the application through WebCache, the cookies' connection flags are set to Any Connection.
    Is there something I can configure in WebCache to keep the Secure Connection flag value as it is passed from OAS?

    See if something here can help you: http://download-west.oracle.com/docs/cd/B14099_02/caching.1012/b14046/concepts.htm#i1014783 . I believe its just a config issue.
    Hope this helps.
    Regards,
    Priyanka GES

  • SSL and security modes

    We are getting ready to implement SSL on the Portal Server and after reading the documentation, I'm not sure which security mode we need to be in. Will mode 0 be fine as long we require SSL on IIS on the portal server?

    Hi Eric,
    You mentioned that your site is in mode 2. How was the performance? Are you using an accelerator? Please send me the link if that is alright. We have been playing with https (mode 2) but no success since all admin tasks stopped working. Our next step is to install a separate portal inside the firewall....Any tips would be appreciated.
    Thanks,
    Leona------- Eric Whitley wrote on 9/17/04 10:33 AM -------
    I think you'll want to at least set SSL mode to 1. I'm going to just write out my understanding of things, and I only really have PT 4.5 WS in production, so if I'm off, well... somebody correct me. :)
    Something to keep in mind - Plumtree needs to "know" which SSL mode you're setting up so it can construct the links for all click-throughs (http://myservervs https://myserver).
    0 = no SSL. Even if you place SSL on IIS Plumtree won't care - in fact, if you click on 'require SSL' on IIS, I think you'll run into problems. Plumtree won't construct URLs with the appropriate "https" prefix, which will likely cause problems.
    1 = apply security to pages that need it. Login pages, document click-throughs, etc. as defined in the secure activity spaces configuration. Plumtree will apply the "https" to only those pages/links.
    2 = SSL everything, everywhere. Our portal current has this configuration.
    Clicking on "require SSL" on the virtual directory will only deal with the IIS portion - you still need to indicate to Plumtree how much/where you want it applied so it can construct the links appropriately. Try setting "1" to see if it will get you where baseline security - our clients and global security team force us to SSL everything conceivable, so we use setting "2".
    That help?
    Eric

  • SSL and security-constraints

    I'd like to know if anybody knows a way to abandon an https session.
    I know I can specify a set of protected resources, editing web.xml, in the following way:
    <security-constraint>
         <web-resource-collection>
              <web-resource-name>Protected Context</web-resource-name>
                   <url-pattern>/Login.jsp</url-pattern> 
            </web-resource-collection>
         <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
      </security-constraint> I just saw that if I keep surfing my site, after the system redirected me to https (because a protected resource has been requested), all following requests are https, even if the resource is not specified as protected in web.xml, and not simple http!
    How can I specify that a resource must run in http?
    How can I specify that a resource is not protected?
    Hope somebody could help...
    Peppe.

    I'd like to know if anybody knows a way to abandon an https session.
    I know I can specify a set of protected resources, editing web.xml, in the following way:
    <security-constraint>
         <web-resource-collection>
              <web-resource-name>Protected Context</web-resource-name>
                   <url-pattern>/Login.jsp</url-pattern> 
            </web-resource-collection>
         <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
      </security-constraint> I just saw that if I keep surfing my site, after the system redirected me to https (because a protected resource has been requested), all following requests are https, even if the resource is not specified as protected in web.xml, and not simple http!
    How can I specify that a resource must run in http?
    How can I specify that a resource is not protected?
    Hope somebody could help...
    Peppe.

  • LDAP and Security Communications

    Hello everybody !
    we're using SunOne DirSer 5.2 and we're thinking to restrict security policies. Our LDAP accept bind connections and uid/pwd are transmitted clearly on the net. We would like to code this info.
    Sorry for question but I'm a novice...
    Is there a simple way to enable LDAP SSL communication WITHOUT certificates installation ( server+clients ) ??
    If I choose to install certificate on server only, must I store clear password inside ldap tree ( DIGEST-MD5 force to store clear pwd in ldap tree ) ??
    Thank you very much,
    Silvio

    Hello everybody !
    we're using SunOne DirSer 5.2 and we're thinking to
    restrict security policies. Our LDAP accept bind
    connections and uid/pwd are transmitted clearly on
    the net. We would like to code this info.
    orry for question but I'm a novice...
    Is there a simple way to enable LDAP SSL
    communication WITHOUT certificates installation (
    server+clients ) ??No there is no way - you need to have a server certificate installed!!
    There are dozens of free tools (openSSL, ...) which can be used to generate such certificate. Of course, you may also obtain/buy one from an official CA.
    There is an excellent and extensive documentation about that topic available online @
    http://docs.sun.com/source/816-6698-10/ssl.html (Sun Dir Server Admin Guide Implementing Security)
    and
    http://docs.sun.com/source/816-6704-10/ssl.html (Using SSL and TLS with Sun ONE Servers)
    So if you have some spare time - go read it!
    If I choose to install certificate on server only,
    must I store clear password inside ldap tree (
    DIGEST-MD5 force to store clear pwd in ldap tree )
    ??Which password do you mean???
    By default, user (BIND) passwords are stored according to your passwordStorageScheme setting of the global password policy (dn: cn=Password Policy,cn=config), which is SSHA. So they are stored hashed by default!
    >
    Thank you very much,
    Silvio

  • Sharepoint and SSRS report trust relationship ssl/tls secure channel remote certificate is invalid

    I have no experience with sharepoint at all. but this is what I observed.
    I intermittently getting this error message on my sharepoint. could not establish trust relationship for the ssl/tls secure channel. Remote Certificate is invalid according to the validation procedure.
    Screnshot of the error 
    This is how the sharepoint page layout.
    I have report.aspx. and below is the content of the aspx file.
    The url is http://sharepoint.COMPANY.com/Pages/Report.aspx.
    The URL is intranet only.
    The sharepoint is hosted in SERVER1 and the SSRS is hosted in SERVER.
    I observed this error happens on both HTTP and HTTPS http sharepoint COMPANY com/Pages/Report.aspx OR https sharepoint COMPANY com/Pages/Report.aspx
    So far, the step I did was to follow this blog http://krishnasangani.blogspot.ca/2013/06/the-remote-certificate-is-invalid.html Restarted
    IIS in SERVER1 AND SERVER2. but the problem persist. Another I have done is to click the certificate in internet explorer and everything looks ok on that side to (certificate is valid)
    It seems to only happen earlier during the morning, then it fixes itself around 9 Oclock. It has been on going for about 2 weeks. Please help troubleshooting this.
    <%@ Page Inherits="Microsoft.SharePoint.Publishing.TemplateRedirectionPage,Microsoft.SharePoint.Publishing,Version=14.0.0.0,Culture=neutral,PublicKeyToken=71e9bsasdasdasd9c" %> <%@ Reference VirtualPath="~TemplatePageUrl" %> <%@ Reference VirtualPath="~masterurl/custom.master" %><%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bsasdasdasd9c" %>
    <html xmlns:mso="urn:schemas-microsoft-com:office:office" xmlns:msdt="uuid:547SF010-65B3-11d1-A29F-00457845FFSW"><head>
    <!--[if gte mso 9]><SharePoint:CTFieldRefs runat=server Prefix="mso:" FieldList="FileLeafRef,Comments,PublishingStartDate,PublishingExpirationDate,PublishingContactEmail,PublishingContactName,PublishingContactPicture,PublishingPageLayout,PublishingVariationGroupID,PublishingVariationRelationshipLinkFieldID,PublishingRollupImage,Audience,PublishingPageImage,PublishingPageContent,SummaryLinks,ArticleByLine,ArticleStartDate,PublishingImageCaption,HeaderStyleDefinitions"><xml>
    <mso:CustomDocumentProperties>
    <mso:PublishingContact msdt:dt="string">8</mso:PublishingContact>
    <mso:HeaderStyleDefinitions msdt:dt="string"></mso:HeaderStyleDefinitions>
    <mso:display_urn_x003a_schemas-microsoft-com_x003a_office_x003a_office_x0023_PublishingContact msdt:dt="string">First Last Name</mso:display_urn_x003a_schemas-microsoft-com_x003a_office_x003a_office_x0023_PublishingContact>
    <mso:PublishingContactPicture msdt:dt="string"></mso:PublishingContactPicture>
    <mso:PublishingContactName msdt:dt="string"></mso:PublishingContactName>
    <mso:ContentTypeId msdt:dt="string">0x010100C568DB5SDH48375LKNSDFG8340JKRG8034U6NEGK8TNGE8U34NIOGE8355H3358TRNG38G43JIOEG0T3JIGE9034340R8J05T4I54T4J8903HH5640K9445G54HH6564H65665</mso:ContentTypeId>
    <mso:Comments msdt:dt="string"></mso:Comments>
    <mso:PublishingContactEmail msdt:dt="string"></mso:PublishingContactEmail>
    <mso:PublishingPageLayout msdt:dt="string">https://sharepoint.COMPANY.com/_catalogs/masterpage/PageFromDocLayout.aspx, Body only</mso:PublishingPageLayout>
    <mso:PublishingPageContent msdt:dt="string">&lt;div class=&quot;ms-rtestate-read ms-rte-wpbox&quot;&gt;&lt;div class=&quot;ms-rtestate-notify ms-rtestate-read a74e0591-4ee6-4837-935a-3c932a967fac&quot; id=&quot;div_a74e0591-4ee6-4837-935a-3c932a967fac&quot;&gt;&lt;/div&gt;
    &lt;div id=&quot;vid_a74e0591-4ee6-4837-935a-3c932a967fac&quot; style=&quot;display:none&quot;&gt;&lt;/div&gt;&lt;/div&gt;
    &lt;div class=&quot;ms-rtestate-read ms-rte-wpbox&quot;&gt;&lt;div class=&quot;ms-rtestate-notify ms-rtestate-read e97fce7c-b702-4530-ae50-16ea77475fd5&quot; id=&quot;div_e97fce7c-b702-4530-ae50-16ea77475fd5&quot;&gt;&lt;/div&gt;
    &lt;div id=&quot;vid_e97fce7c-b702-4530-ae50-16ea77475fd5&quot; style=&quot;display:none&quot;&gt;&lt;/div&gt;&lt;/div&gt;
    </mso:PublishingPageContent>
    <mso:PublishingRollupImage msdt:dt="string"></mso:PublishingRollupImage>
    <mso:RequiresRouting msdt:dt="string">False</mso:RequiresRouting>
    </mso:CustomDocumentProperties>
    </xml></SharePoint:CTFieldRefs><![endif]-->
    <title>Report</title></head>
    A few questions I have in mind is Any pointer to troubleshoot this problem AND By looking at the ASPX file, Would you be able to determine what method is my Sharepoint page calling the SSRS report , integrated mode, native mode? IEFrame? The reason I am asking
    this is that maybe IF I google using the right terminology I can get to the similar problem and solution.
    Thanks

    Please let us know if you are using
    SharePoint communicates to an external service via HTTPS 
    Please try perform following steps:
    Fix is to setup a trust between SharePoint and the server requiring certificate validation.
    In SharePoint Central Administration site, go to “Security” and then “Manage Trust”.  Upload the certificates to SharePoint.  The key is to get both the root and subordinate certificates on to SharePoint.
    The steps to get the certificates from the remote server hosting the WCF service are as follows:
    1.  Browse from IE to the WCF service (e.g., https://remotehost/service.svc?wsdl)
    2.  Right click on the browser body and choose “Properties” and then “Certificates” and then “Certificate Path”.
    This tells you the certificate chain that’s required by the other server in order to communicate with it properly.  You can double-click on each level in the certificate chain to go to that particular certificate, then click on “Details” tab, “Copy to
    File” to save the certificate with the default settings.
    As an example, get both VeriSign & VeriSign Class 3 Extended Validation SSL CA.
    reference : http://blogs.technet.com/b/sharepointdevelopersupport/archive/2013/06/13/could-not-establish-trust-relationship-for-ssl-tls-secure-channel.aspx
    If my contribution helps you, please click Mark As Answer on that post and
    Vote as Helpful
    Thanks, ShankarSingh(MCP)

  • SSL and LDAP authentication

    I have installed Iplanet dirserver (5.1 sp1) on Solaris 8. I have Solaris 8 clients which should authenticate every user ssh connections with this ldap server.
    I have done everything as described in LDAP setup and Configuration Guide (found that in sun.com website) and everything works fine if i don't use SSL.
    What should i do to make SSL work?
    I have installed ssl ceritficates etc. and when i make dir server to use ssl it works fine with iplanet console (in access log it says SSL connection) But i can't get it work from my clients.
    My default port is 5001 and i have set ssl port to 5002 but everytime that i change client profile (and configuring client with ldapclient command) to use port 5002, authentication don't work anymore. Actually that ldapclient command doesn't work either. I can see in access log that client tries to take SSL connection, but server doesn't respond to it.
    Can anyone help me on this?
    Jani

    I recently setup an iDS5.1 LDAP server as a naming service to a couple Solaris 9 clients. You must use the default SSL port (636), see http://docs.sun.com/db/doc/806-4077/6jd6blbdd?a=view .
    In my case, I used a self-signed cert on the Server. I then copied the cert7.db, key3.db and secmod.db files from the server to the /var/dlap directory on the clients. The files you want from the server are in the SERVER_ROOT/alias directory. Specifically, the slapd-id-cert7.db and slapd-id-key3.db are the ones you want. Where id is the slapd server instance name, typically the host name of the computer.
    HTH,
    Roger S.

  • IPhone LDAP contacts and Self signed SSL certificates

    Hi,
    I am using OpenLDAP with self signed SSL certificate, and i am unable to get SSL work with LDAP contacts on the IPhone (4.x). I have tried to add a CA cert with a server certificate for the LDAP server and downloaded it to the IPhone by web, it adds the CA, but even with it, it does not want to connect to the LDAP server with SSL enabled.
    Does LDAP contacts should work by adding new CA ? if yes, what is the exact procedure to do it ? (maybe I used a wrong CA export format, or wrong SSL certificate encryption format ...)
    can someone tell me how to do it ?
    This is really anoying, since we have multiple iphones on the company.
    Thanks for the help.

    Hello, found your post.  I realize it's been 6 months since you posted, but I have a solution for you since I have struggled with the same problem since 2009.
    I discovered that when the iPhone is using LDAPS, it tries to bind with LDAPv2.  After it binds, it speaks LDAPv3 like it is supposed to.  Apparently this is a somewhat common practice since OpenLDAP includes an option for it.
    You'll want to set the following option in OpenLDAP:
    dn: cn=config
    olcAllows: bind_v2
    Walla! LDAPS works! (assuming you've correctly done all the certificate stuff).  Took some deep reading through the debug logs to figure out this problem.  Figured I'd share my answer with others.

  • LDAP SSL requirement and setup

    Can someone point me the direction on setting up LDAP SSL in Apex 2.2?
    Is there any documentation available? Thank you.

    I have same request. Only information i could find was here: LDAP Authentication Failed

  • How do I bind to directory server with SSL and authentication?

    I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
    Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
    Here are the problems:
    1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
    2) I was never prompted to authenticate for the directory binding.
    So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
    What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
    Thank you.

    You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
    Cheers,
    Vikas

  • Convergence with LDAP SSL Failure

    Hello,
    I'm now having a problem securing connections between Convergence and my LDAP server.
    Once I set it in iwcadmin, ugldap.enablessl to true and change the port to 636, the following error occurs and convergence just couldn't authenticate.
    server.log in Glassfish 2.1.1, enterprise profile using NSS keystore
    [#|2010-11-12T20:17:15.208+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|LDAPS:Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values|#]
    [#|2010-11-12T20:17:15.209+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap.LDAPSingleHostPool|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|buildConnection: got LDAPException while connecting to Pool number:0. Host=<ldaphost> :netscape.ldap.LDAPException: Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values (91)|#]
    HTTP SSL connections to Webmail server and calendar servers are fine. I tried deploying the same configuration using developer profile with JKS keystore, the SSL authentication goes through then, but I need clustering for high availability.
    Does anyone have any ideas?
    Thanks so much in advance!
    Mathew

    Hard to tell what is happening without looking at the application
    source, knowing what OS & hardware you're using etc. You might want to
    try running with different JVM versions to see if it's actually the VM
    that is the problem. If you have a support contract with BEA you could
    ask support to help you diagnose this.
    Regards,
    /Helena
    Ayub Khan wrote:
    I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
    application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
    seems to happen on loading the machine..the performance progressively gets worse
    and after a couple of seconds, all the threads stop responding. I checked the
    heap, cpu and the idle threads in the execute queue and there is nothing there
    to trigger alarms...there are quite a few idle threads still and the heap and
    the cpu utilization seem OK. On doing a thread dump, Is see that all the other
    threads seem to be in a state where they are waiting for data from LDAP and it
    is basically read only data that they are waiting on.
    Does anyone know what it is going on and help point me in the right direction.
    -Ayub

  • Problem connecting LDAP SSL

    Hello:
    I try to connect IDM 6.0 SP1 wiht Sun Directory Server 5 (LDAP) using LDAP adapter. If i use non-secure port (389) it is OK and the connection work fine.
    But if i try to use ssl port (636) i obtain error.
    Directory Server is configure to work with both ports (389 and 636), it has enabled ssl and have a certificate (self-signed). Other aplication (ldap browser) can connect to ssl port without problem.
    Is there another thing to do in machine running IDM? (for example, install the LDAP certificate) How i do this?
    Both machines are Solaris 10 x86 and they are in same dns domain.
    Thank

    To connect to an SSL resource, you must have a certificate trust chain defined in the Java Virtual Machine in which the IDM is running. Not knowing what web server you are running IDM on, I must be general in my reply. You need to include the following system property definition in the java parameters for your JVM:
    -Djavax.net.ssl.trustStore=<fully qualified path to a JKS keystore containing the trust chain for your self signed server cert>
    e.g.
    -Djavax.net.ssl.trustStore=/myapps/idm/truststore.jks
    You can create the truststore using the keytool utility that comes with the Sun Java JDK (<JAVA_HOME>/bin/keytool) Hope this helps.
    FYI - your browser queries to LDAP work because you have the trust chain stored in your browser certificate cache.

  • App Server 8.0 LDAP SSL Problems

    Hello,
    I have been able to get the following java code to connect to an LDAP server to work in a servlet (within a j2ee-module) under the Sun J2EE application server 8.0 when I am connecting to a non-ssl LDAP server:
    LDAPConnection conn = new LDAPConnection();
    conn.connect(ldap_host, Integer.parseInt(ldap_port));
    StringBuffer sb = new StringBuffer("uid=");
    sb.append(cuid).append(",").append(ldap_base);
    String dn = sb.toString();
    conn.authenticate(3, dn, password);
    I have been having a bear of the time implementing the same thing but with SSL by changing the host and port to a SSL LDAP instance and substituting the following code:
    LDAPConnection conn new LDAPConnection();
    JSSESocketFactory jssf = new netscape.ldap.factory.JSSESocketFactory(null);
    conn = new LDAPConnection(jssf);
    I have used the following command to insert the cert from the LDAP server into the keystore:
    keytool -import -trustcacerts -alias <ca-cert-alias> -file <cert>
    I have also tried to inject the cert into the cacerts file found under the SUNWappserver/domains/domain1/config/cacerts.jks file directly using keytool.
    No matter what I do, when the SSL version of the code is executed I get the following exception:
    [#|2004-07-14T13:59:40.372-0400|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
    DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removed for security purposes>.doPost:
    Uncaptured Exception: JSSESocketFactory.makeSocket <host and port removed for security purposes>, Default SSL context init failed: Cannot recover key|#]
    [#|2004-07-14T13:59:40.374-0400|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
    DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removed for security purposes>.doPost:
    netscape.ldap.LDAPException: JSSESocketFactory.makeSocket <host and port removed for security purposes>, Default SSL context init failed: Cannot recover key (91)
    at netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSESocketFactory.java:111)
    at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:509)
    at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:435)
    at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:274)
    at netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnSetupMgr.java:199)
    at netscape.ldap.LDAPConnThread.connect(LDAPConnThread.java:109)
    at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1067)
    at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:938)
    at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:781)
    at com.qwest.nts.portal.LdapHelper.authenticate(LdapHelper.java:51)
    at com.qwest.nts.portal.servlet.PortalServlet.doPost(PortalServlet.java:68)
    at com.qwest.nts.portal.servlet.BaseServlet.doGet(BaseServlet.java:50)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:748)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:861)
    at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:246)
    at java.security.AccessController.doPrivileged(Native Method)
    Am I missing something here? What does one need to do to get the Sun application server to enable SSL connections to an LDAP server? I am a bit confused what keystore to use since there are numerous copies of cacerts.jks and keystore.jks among both the application server config files and the jdk/jre config files found under SUNWappserver.
    I attempted to see debug messages by adding -Djavax.net.debug=all directly to the java command found in the startserv script for this web appliaction. I am not sure if this is the correct way to set system parameters when using the J2EE Sun application server, but it should work, no? When I do this I don't see any additional messages in the server's log file found at /SUNWappserver/domains/domain1/logs/server.log. All I see is System.out.println's from the java code and the exception.
    Thanks in advance for any help.
    - Dan

    Harpreet,
    Thanks for the reply. Yes I do just want to authenticate to the LDAP server from some code in my servlet. It is working against a non-ssl server right now. I guess I am not using the LDAPRealm that the appserver provides because I didn't now about it. I just pulled working LDAP code from another project (written for weblogic). As I said before all is working fine against the non-ssl server, however, I need to authenticate against a SSL server. As for your other question, why am I using JSSESocketFactory, I don't have a good answer. The application I am using as an example around here uses ldapsdk.jar. Are you saying that these LDAP classes are already built in?
    Thanks
    - Dan
    Hi Dan
    A couple of questions that will help me understand
    this better.
    1. It seems you just want to authenticate to the LDAP
    server
    from some code in your servlet - is that right?
    (On a side note: why dont you use the LDAPRealm that
    the appserver
    provides? It currently does not perform SSL
    authentication but that is
    something we are looking at). This way you dont end up
    reinventing the wheel.
    2. Any particular reasons on not using J2SE Security
    factory classes
    (Since you use netscape JSSESocketFactory - you will
    have to use
    Netscape provided flags to see what is going on over
    the wire). That
    is the reason javax.net.debug flags are not showing
    any useful output.
    PS: javax.net.debug=ssl should suffice
    Some comments and clarifications:
    The truststore that you should bother about - is the
    one under
    domains/domain_name_of_the_domain_u_use/cacerts.jks.
    Cacerts.jks has your imported(trusted certs) while
    keystore.jks has
    your server private keys and certificates.
    (more info @
    http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security
    .html#wp142440)
    There has been a relevant thread that you may look at
    http://forum.java.sun.com/thread.jsp?forum=136&thread=5
    1519
    Hope that helps
    - Regards
    Harpreet
    I have been able to get the following java code to
    connect to an LDAP server to work in a servlet(within
    a j2ee-module) under the Sun J2EE applicationserver
    8.0 when I am connecting to a non-ssl LDAP server:
    LDAPConnection conn = new LDAPConnection();
    conn.connect(ldap_host,Integer.parseInt(ldap_port));
    StringBuffer sb = new StringBuffer("uid=");
    sb.append(cuid).append(",").append(ldap_base);
    String dn = sb.toString();
    conn.authenticate(3, dn, password);
    I have been having a bear of the time implementingthe
    same thing but with SSL by changing the host andport
    to a SSL LDAP instance and substituting thefollowing
    code:
    LDAPConnection conn new LDAPConnection();
    JSSESocketFactory jssf = new
    netscape.ldap.factory.JSSESocketFactory(null);
    conn = new LDAPConnection(jssf);
    I have used the following command to insert the cert
    from the LDAP server into the keystore:
    keytool -import -trustcacerts -alias <ca-cert-alias>
    -file <cert>
    I have also tried to inject the cert into thecacerts
    file found under the
    SUNWappserver/domains/domain1/config/cacerts.jksfile
    directly using keytool.
    No matter what I do, when the SSL version of thecode
    is executed I get the following exception:
    [#|2004-07-14T13:59:40.372-0400|INFO|sun-appserver-pe8.
    >
    .0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
    DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removedfor
    security purposes>.doPost:
    Uncaptured Exception: JSSESocketFactory.makeSocket
    <host and port removed for security purposes>,Default
    SSL context init failed: Cannot recover key|#]
    [#|2004-07-14T13:59:40.374-0400|INFO|sun-appserver-pe8.
    >
    .0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
    DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removedfor
    security purposes>.doPost:
    netscape.ldap.LDAPException:
    JSSESocketFactory.makeSocket <host and port removed
    for security purposes>, Default SSL context init
    failed: Cannot recover key (91)
    at
    netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSE
    ocketFactory.java:111)
    at
    netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSe
    upMgr.java:509)
    at
    netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetup
    gr.java:435)
    at
    netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr
    java:274)
    at
    netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnS
    tupMgr.java:199)
    at
    netscape.ldap.LDAPConnThread.connect(LDAPConnThread.jav
    :109)
    at
    netscape.ldap.LDAPConnection.connect(LDAPConnection.jav
    :1067)
    at
    netscape.ldap.LDAPConnection.connect(LDAPConnection.jav
    :938)
    at
    netscape.ldap.LDAPConnection.connect(LDAPConnection.jav
    :781)
    at
    com.qwest.nts.portal.LdapHelper.authenticate(LdapHelper
    java:51)
    at
    com.qwest.nts.portal.servlet.PortalServlet.doPost(Porta
    Servlet.java:68)
    at
    com.qwest.nts.portal.servlet.BaseServlet.doGet(BaseServ
    et.java:50)
    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java
    748)
    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java
    861)
    at
    sun.reflect.GeneratedMethodAccessor68.invoke(Unknown
    Source)
    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegat
    ngMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at
    org.apache.catalina.security.SecurityUtil$1.run(Securit
    Util.java:246)
    atjava.security.AccessController.doPrivileged(Native
    Method)
    Am I missing something here? What does one need todo
    to get the Sun application server to enable SSL
    connections to an LDAP server? I am a bit confused
    what keystore to use since there are numerous copies
    of cacerts.jks and keystore.jks among both the
    application server config files and the jdk/jreconfig
    files found under SUNWappserver.
    I attempted to see debug messages by adding
    -Djavax.net.debug=all directly to the java command
    found in the startserv script for this web
    appliaction. I am not sure if this is the correctway
    to set system parameters when using the J2EE Sun
    application server, but it should work, no? When Ido
    this I don't see any additional messages in the
    server's log file found at
    /SUNWappserver/domains/domain1/logs/server.log. AllI
    see is System.out.println's from the java code andthe
    exception.
    Thanks in advance for any help.
    - Dan

Maybe you are looking for

  • Connected to network but can't connect to internet

    I'm connected to the network but I can't connect to the internet.  The network is working fine since my Xbox live is working with no issues.  Any ideas?

  • Customizing a VScrollBar is not working in Flex sdk 4.6?

    Hi, I have updated my Flex sdk from 4.5 to 4.6 in my application. I have faced a strange issue this sdk 4.6. In my application I have designed a Custom VScrollbar for customizing the vertical scroll speed of a mouse wheel to smooth-en the scrolling .

  • 8.1.5.0.2 patch does NOT fix "Load Indicator not supported by OS"

    Well, I was hoping it did. Anyone else who experienced otherwise, please post. However, it did fix the problem in the pmon trace file of: OER 536879337 in Load Indicator : Error Code = 570716328 ! ... whenever starting an instance. This error does no

  • Video upload to Ipod

    Can you upload DVD video onto your computer and transfer that video to an Ipod? These are not copywrited DVDs but home videos.

  • Need help in custom workflow issue

    Hi All, I have created role using API wf_directory.createadhocrole and sending notification to the respective persons, its working as expected. But all the open notification are sent to the current user assigned to the role, also in wf_notifications