Getting SSGD 4.41 to work with SSL + Client Certificate

Hello everybody.
I'm running SSGD 4.41.909 on SuSE Linux Enterprise Server 10+Sp2 (x86_32bit) and I configured it to perform KERBEROS authentication against a Windows 2003R2 server.
Everything worked fine so I decided to give SSL+Client Ceritifcate a try.
I configured the Win2003R2 server as per the manual and I also:
. imported the Active Directory root CA into SSGD trustore (/opt/tarantella/bin/jre/lib/security/cacerts)
. created a new key and a CSR using the keytool
. signed the above CSR with the Active Directory CA
. imported the just signed certificate info SSGD keystore (/opt/tarantella/var/info/certs/sslkeystore)
With the keytool I'm able to verify that the keystore does actually contains a valid CLIENT certificate:
/opt/tarantella/bin/jre/bin/keytool -list \
-keystore /opt/tarantella/var/info/certs/sslkeystore \
-keypass "$(cat /opt/tarantella/var/info/key)" \
-storepass "$(cat /opt/tarantella/var/info/key)"Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
testssgd, Dec 17, 2008, PrivateKeyEntry,
Certificate fingerprint (MD5): 33:3B:41:EC:A2:4C:FF:02:D7:0D:D8:2D:EB:B2:2A:2B
ssgd_client_cert, Dec 17, 2008, trustedCertEntry,
Certificate fingerprint (MD5): DE:6B:BA:28:39:6B:B2:7B:51:F5:F2:6B:41:6E:6B:C1
As you can see, the ssgd_client_cert is indeed available into the sslkeystore.
Next, I configured SSGD as follows:
Step4: LDAP Repository Details
Repository Type: (*) Active Directory
URLs: ad://zen.strhold.it
Connection Security: () Kerberos
(*) SSL
[x] Client Certificate Used
Active Directory Base Domain: zen.strhold.it
Active Directory Default Domain: zen.strhold.it
[Next]
I did not have any errors when I clicked over [Next] and the same went when I selected the [Finish] button.
I logged out of the Admin console, restarted the SSGD server and tried to login using an Active Directory VALID user but here's what I got:
Sun Secure Global Desktop Software (4.41) WARNING:
Could not find a client certificate to use to authenticate the
connection to the Active Directory server
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the Active Directory.
A known resolution to this warning is:
- Import a client certificate for this server into the SGD keystore.
For more information on how to do this, consult the SGD Administration
Guide.
2008/12/17 17:16:36.246     (pid 18920)     server/ad/warningerror     #1229530596247
Sun Secure Global Desktop Software (4.41) WARNING:
Failed to connect to the global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
Reason:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
Global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the forest.
To help troubleshoot this warning,
- Verify that this global catalog is available on the network.
- Verify that SGD can resolve the global catalog's hostname via DNS.
- Verify that SGD can connect to port 3268 on the global catalog.
- Verify that this server is a global catalog for the forest.
I'm pretty sure I do have a client certificate into SSGD keystore (as demonstrated by the keytool utility).
Am I missing something or what?
Things I've already cheched:
. both the SSGD and Windows server clocks are in synch
. the DNS server (on Windows) is able to resolve the names of the boxes in both forward and reverse mode
. no firewall is operating between the boxes
Thanks,
Rob

Hi DD.
Thanks again for your time and patience!
Well, today I restarted the SSGD box (it's a virtual machine) and issued the:
    keytool -list -keystore sslkeystore -storepass "$(cat /opt/tarantella/var/info/key)" -keypass "$(cat /opt/tarantella/var/info/key)"command. Much to my surprise, this time I got the following output:
Your keystore contains 1 entry
+testssgd, Dec 19, 2008, trustedCertEntry,+
Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35
As you can see, now the certificate is recognized as "trustedCertEntry* instead of the previous PrivateKeyEntry. If you step back to my previous post, you should be able to tell that the MD5 is the same one I got for the PrivateKeyEntry.
+testssgd, Dec 19, 2008, PrivateKeyEntry,+
+Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
By issuing the suggested:
{code}keytool -v -list -keystore sslkeystore -alias testssgd{code}
command I got the following output (snipped):
+Alias name: testssgd+
+Creation date: Dec 19, 2008+
+Entry type: trustedCertEntry+
+Owner: CN=ssgd.zen.strhold.it, OU=Strhold Evolution Division, O=Strhold, L=Reggio Emilia, ST=Italy, C=IT+
+Issuer: CN=ADroot, DC=zen, DC=strhold, DC=it+
+Serial number: 1568abe4000000000006+
+Valid from: Fri Dec 19 17:45:52 CET 2008 until: Sun Dec 19 17:45:52 CET 2010+
+Certificate fingerprints:+
+     MD5: 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
+     SHA1: 00:8F:59:04:51:49:A6:73:8C:B5:6D:74:C6:90:30:32:24:DE:6D:EA+
+     Signature algorithm name: SHA1withRSA+
+     Version: 3+
As you can see, the Issuer is ADRoot (CN=ADroot, DC=zen, DC=strhold, DC=it).
The error messages did not change (
Attempted login for [email protected]
using disambiguation attributes {}.
2008/12/22 13:37:10.306     (pid 3764)     server/kerberos/info     #1229949430306
Kerberos attempting to log in rzini in to ZEN.STRHOLD.IT
2008/12/22 13:37:10.647     (pid 3764)     server/kerberos/moreinfo     #1229949430647
Kerberos succeeded in authenticating [email protected] to ZEN.STRHOLD.IT
2008/12/22 13:37:10.711     (pid 3764)     server/ldap/info     #1229949430711
LDAP config is: "ad://zen.strhold.it"
2008/12/22 13:37:10.716     (pid 3764)     server/ldap/info     #1229949430716
LDAP server user was changed for scope "forest" to ""
2008/12/22 13:37:10.796     (pid 3764)     server/ldap/moreinfo     #1229949430796
NSLookup succeeded: "win2003r2.zen.strhold.it." returned 192.168.68.1
2008/12/22 13:37:10.801     (pid 3764)     server/ldap/moreinfo     #1229949430801
Service lookup succeeded: "_gc._tcp.zen.strhold.it." returned 192.168.68.1:3268
2008/12/22 13:37:11.316     (pid 3764)     server/ad/warningerror     #1229949431315
Sun Secure Global Desktop Software (4.41) WARNING:
Could not find a client certificate to use to authenticate the
connection to the Active Directory server
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the Active Directory.
A known resolution to this warning is:
- Import a client certificate for this server into the SGD keystore.
For more information on how to do this, consult the SGD Administration
Guide.
2008/12/22 13:37:11.321     (pid 3764)     server/ad/warningerror     #1229949431321
Sun Secure Global Desktop Software (4.41) WARNING:
Failed to connect to the global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
Reason:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
[snip]
Discovery results:
Looking up Global Catalog DNS name: _gc._tcp.zen.strhold.it. - HIT
Looking for GC on server: Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up - ERROR
The Active Directory login authority and LDAP generation will not work as
SGD could not find a contactable global catalog.
2008/12/22 13:37:11.329     (pid 3764)     server/ldap/error     #1229949431329
Sun Secure Global Desktop Software (4.41) ERROR:
LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=ZEN,DC=STRHOLD,DC=IT") 587ms javax.naming.NameNotFoundException: Failed to lookup a Global Catalog server
A call to LDAP failed. This might mean LDAP users cannot log in.
I can provide you with the Java exception which was reported but I cannot include it with this message due to the restriction in size we have when posting.
Thanks again,
Rob

Similar Messages

  • HttpServletRequest.isRequestedSessionIdValid() doesn't work with SSL

    In OC4J 9.0.3, when SSL is enabled, the call to
    HttpServletRequest.isRequestedSessionIdValid() method doesn't seem to work. It always returns false when it is called even though the session has not yet expired.
    On the contrary, when SSL is disabled, the HttpServletRequest.isRequestedSessionIdValid() works correctly as specified in the servlet specification.
    Can anyone in this forum explain to me why HttpServletRequest.isRequestedSessionIdValid() doesn't work with SSL? Any solution for that problem?
    Thanks in advance.

    Hi Sanjit,
    I've tried this on multiple PCs and get the same problem everywhere.
    See picture with IE11 and chrome.
    Sincerely,
    Davy

  • Hi, I have a late 2011 MacBook Pro but cant get the mirroring function to work with Apple TV.  I've got the most recent Software 10.7.5 but cant see the mirroring icon or turn this on.  I'm able to mirror from my Ipad but not my Mac, any thoughts?

    Hi, I have a late 2011 MacBook Pro but cant get the mirroring function to work with Apple TV.  I've got the most recent Software 10.7.5 but cant see the mirroring icon or turn this on.  I'm able to mirror from my Ipad but not my Mac, any thoughts?

    Welcome to the Apple Support Communities
    AirPlay Mirroring is supported on your Mac, but it needs OS X Mountain Lion (10.8). See > http://support.apple.com/kb/HT5404
    You have two possibilities:
    1. Make a backup, open App Store and purchase Mountain Lion to upgrade to this OS X. Then, you will find the AirPlay Mirroring icon at the top right of the display, on the menu bar, or on System Preferences > Displays.
    2. Keep OS X Lion and use AirParrot > http://www.airparrot.com
    Both options work properly, but I recommend AirPlay Mirroring as it doesn't need a third-party program

  • How can I get my Canon A620 to work with Windows 7

    Just signed up here, ot the brightest with tech stuff. I'm trying to get my Powershot A620 to work with Windows 7. I'm guessing there's drivers I need to down load ? Will they be on the Canon website or on this help site ? 
    I'll keep looking around. 
    Steve

    If you need photo software and don't have any you can download Canon software here.
    http://www.usa.canon.com/cusa/support/consumer/digital_cameras/powershot_a_series/powershot_a620#Dri...
    But if you already have software you use there is nothing special you need. Ether connect the camera using a USB cable or remove the SD card from the camera and use a card reader (either an external one or the computer may already have one built in.)
    If  you decide to connect the camera via USB you don't need a driver; its built into W7.
    John Hoffman
    Conway, NH
    1D Mark IV, Rebel T5i, Pixma PRO-100, MX472

  • Trying to get a WRT54GX2 wireless router working with a W...

    Trying to get a WRT54GX2 wireless router working with a WPC54G wireless card. The laptop and desktop both will access the Internet and work when hardwired through the router's Ethernet ports. When trying to access wireless, the Laptop shows to be connected to the router and also to Internet, but Internet Explorer can not access any websites.  Suggestions? Thanks.

    what ip address does the laptop get ?? ensure that the laptop is not set for a static ip add....and it gets an ip add from the router ..

  • I cannot get my iPad 2 to work with VPN provider.

    I cannot get my iPad 2 to work with my VPN service provider.  Using OS 4.3.3.  iPad purchased in the USA.  Have heard there are issues with iPad 2 and VPN support.  Any suggestions?

    You can try this ... hold down on the sleep button and the power button at the same time for about 10 seconds until you see the Apple logo on the screen, release the buttons and see if the iPad restarts and you can use it.

  • Can't get Bose computer speakers to work with my Mac pro lion

    I have just bought the Bose Companion 11 computer speakers for my Mac Book Pro. They are set up correctly (in the headphone jack) and they play my itunes music beautifully. However, when they are plugged in I get no sound from internet videos, etc. I have to take the plug out of my headphones jack and then I get the sound from my computer but not the speakers. Can anyone help ..I don't know what I am doing wrong...or how to get the Bose speakers to work with all my computer (internet content). I looked at system preferences and the Output says headphone port but the input says internal microphone (built-in).
    Please help.
    Thank You,
    Karen

    Don't worry about offending me...I am, admittedly, no computer whiz! I have had speakers before....but I took these in to Best Buy...with my computer (Where I bought them) and the "Geek" person plugged them in and they worked.
    What we did notice was that the jack that goes into the plug just below the left speaker plug was loose. So I brought it home and it worked! Then tonight I turned on my computer and no speaker input, so I checked the back of the right speaker and that plug (if that is the right name?) had fallen out...so re-connected it and they work! So, I guess I may have to tape that plug in ...or what do you suggest??...so it doesn't keep falling out.
    Thanks so much for answering me.
    Karen

  • What is the best way to get a time capsule to work with a new network name?

    What is the best way to get a time capsule to work with a new network name?

    Well it seems that you did not explain to us the full story.  Did you change ISP's or something? Why would it not show up anymore?
    What colour is the light on the time-capsule? If it's blinking amber, then you probably need to do a factory-reset. That should get it to show up again in AirPort Utility.

  • I purchased Adobe Acrobat x Pro recently and installed it, I have compatibility issues vision 2013. The adobe pdf converter  plug in stays inactive despite all my efforts to activate it, I need help with this? How can i get the plug in to work with Visio

    I purchased Adobe Acrobat x Pro recently and installed it, I have compatibility issues vision 2013. The adobe pdf converter  plug in stays inactive despite all my efforts to activate it, I need help with this? How can i get the plug in to work with Visio 2013?

    For MS Visio (any version) only the appropriate version of Acrobat *PRO* provides PDFMaker for Visio.
    For Visio 2013 specifically you must have Acrobat XI Pro (updated to at least 11.0.1).
    See: 
    http://helpx.adobe.com/acrobat/kb/compatible-web-browsers-pdfmaker-applications.html  
    Be well...

  • How do I get my i phone to work with my security camera  while on vacation, I have a wansview NCB547W

    I cannot seem to get my WANSVIEW NCB541W to work with my I phone.

    Hello JaeRoc48,
    I understand that the sound is not working.
    Go to start.
    Type Sound.
    Select sound.
    Select speakers as default.
    Click OK.
    Let me know how everything goes.

  • Can't get my iphone4 AirPrint to work with Canon mx712 printer

    Can't get my iphone4 AirPrint to work with canon mx712 printer
    I've reviewed all network, printer, phone settings

    airprint basic http://support.apple.com/kb/ht4356  see if that printer is compatible.
    airprint troubleshooting http://www.apple.com/support/iphone/assistant/airprint/
    If it is not compatible then you will need to look at the appstore to find something compatible to be able to print.

  • How to i get an itrack solo to work with pro audio x?

    how to i get an itrack solo to work with pro audio x?

    Long shot perhaps, but...
    how about...
    following  instructions in  manuals?
    http://help.apple.com/logicpro/mac/10/#lgcpebe92ce0

  • How do I get my mms text to work with net10? Cellular data network is not visible on my iPhone 4.

    How do I get my mms text to work with net10? Cellular data network is not visible on my iPhone 4.

    After hours restoring phone and resetting all my accounts and settings the Bluetooth is back on. Not sure how long this will last. In regards to AirPlay taking over, I had to drive far enough from our wifi signal to allow the Bluetooth to take back the audio. Its working for now.

  • How do I get my Jawbone Era to work with my Ipad 2

    How do I get my Jawbone Era to work with my Ipad 2?  The Ipad shows the Jawbone as synced, however, when I play a video it does not play through the Jawbone, only the Ipad speaker.

    You need to pair the iPad with the bluetooth keyboard. I don't understand how you could have used it even once without doing this process (unless whoever sold the iPad and keyboard to you did this for you?) but perhaps it has somehow become unpaired. There should be instructions with the bluetooth keyboard on how to pair it with an iOS device like your iPad, but the general process is pretty straightforward as described here:
    iOS: Third-party Bluetooth accessories
    If you can't find the pairing instructions/user guide that came with the keyboard then look on the manufacturer's website, they'll almost certainly have downloadable User Guides containing the info on pairing.

  • How do i get my ipad 2 to work with another micro sim

    how do i get my ipad 2 to work with another micro sim

    Follow the instructions here >  iOS: Syncing with iTunes

Maybe you are looking for