JNDI :: LDAP :: SSL :: howto trust all certificates
hi @ all,
currently i'm writing a jndi ldap wrapper java package which is intended to capsulate all the jndi stuff for the user of it so he only need to configure it's settings through a xml configuration file.
now i'm on the point that i want to enable this package to communicate through a ssl secured connection. therefore i'v got two questions.
first:
how can i specify a keystore file other than the default jre keystore file to be used by jndi when connecting to the directory server through ssl?
second:
i do not like the default behaviour of the jsse which forces me and in fact all the future users of the package to having importet the server's certificate to such a keystore. i think this is not nice cause i want to enable my application to connect to the server independent to the certifacte it uses. it there any way to get the jndi (i think jsse in fact) to accept every certificate the server uses?
it would be nice if someone could help me with this questions 'cause i did not get it working up to now.
thx in advance
dialsc
morning,
meanwhile i was able to answer the first question by my selfe.
here's the answer:
create a keystore with the following instruction:
keytool -import -file server_cert.cer -keystore jssecacertsthan tell java to use the individual keystore with the following statement (before creating the DirContext):
System.setProperty("javax.net.ssl.trustStore", "/path/to/the/individual/keystore/file/myKeystoreFile");that's it. now the ssl connection should work.
but what about my second question. can anyone give a answer for it, please?
regards
dialsc
Similar Messages
-
Commons-Net FTPS : Trust All Certificates?
Hi,
I am using apache's common-net 3.1 to try and establish an ftps connection(port 990). I am trying to ftp directly into another computer (long story of why I have to do it this way, but i do). When I try to connect, I get a few security errors. Is there anyway to allow/trust all certificates or disable certificate verification?
Any help or suggestions (on maybe another library that can do this?) are greatly appreciated!
Edited by: 943461 on Jun 28, 2012 10:16 AMWhy are you using FTPS if you don't want it to be secure?
Solve the real problem: import the certificates. -
SSL Error 61: chosen not to trust security certificate; How to bypass?
I am trying to utilize Citrix XenApp to remotely access my work userid and applications from home. I can login and see my virtual desktop/applications, but when I try to run an application I get SSL Error 61: you have chosen not to trust "Equifax Secure Global eBusiness CA-1" the issuer of the server's security certificate. I have tried to update the certificate (FFx says its valid), add an exception (cannot because certif is valid), uninstall/reinstall application (no good), but still no luck. Have contacted my company's IT and they are baffled as well. Any ideas to bypass or redo a setting that says I do trust this certificate would be welcome.
Pardon my ignorance, but can you please explain further. I've read over the info from the link provided but it is beyond my technical comprehension. Is the Citrix database on my end, on my company server's end?
-
I can't "Trust all" a https certificate
Hi,
I'm facing this when trying to open a Oracle Forms (Java Applet) window. Basically I can't check the "Trust all applets" checkbox. I tried it using another browser, tried sudo, switched between 32 and 64 bit JVMs, but the checkbox won't be enabled. I'm running Mountain Lion and Java 1.6.0_33.
Does anyone have any tips on what to do? I'm still trying to install an older java version, so if anyones knows how to it will also be very helpfull.
PS: Sorry for the printscreen in portuguese, I hope the description is good enough.
Thanks,Hi,
I found why the checkbox was disabled. I was messing around the security configuration and found this:
The three radio buttons controls from where you can install new apps, the options are Mac App Store only, App Store + Trusted developer and anywhere. When I changed it to anywhere, the checkbox on the applet window got enabled.
I should point it is not recommended to leave this configuration like this forever, so if you change it keep in mind that you might want to change it back after you manually trust the certifcates for the java applets. -
LDAP + SSL + tomcat- Please help!
Please help I searched the whole site, i m new to JNDI, Security and E-directory, all I got was confusion, and lots of exception.
Here's my problem, I trying to run a web application on tomcat web server. I have a login.html, for users to login to my application. Currently all username and password are stored Novell e-directory. Currently I have the following Code.
<%@page import="javax.naming.*"%>
<%@page import="javax.naming.directory.*"%>
<%@page import="java.util.*"%>
<%@page import=" java.lang.*"%>
<%@page import="java.security.*"%>
<%
String uid = request.getParameter("user");
// Set up the environment for creating the initial context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://10.1.1.199:636/o=hcfhe");
env.put(Context.SECURITY_PRINCIPAL, "cn=ldapbrowse, ou=it, o=hcfhe");
env.put(Context.SECURITY_CREDENTIALS, "ldapbrowse");
env.put(Context.SECURITY_PROTOCOL,"ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put("java.naming.ldap.factory.socket","javax.net.ssl.SSLSocketFactory");
env.put("java.naming.ldap.version","3");
System.setProperty("javax.net.ssl.keyStore", "c://j2sdk1.4.0//jre//lib//security//cacerts");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", "c://j2sdk1.4.0//jre//lib//security//cacerts");
System.setProperty("javax.net.debug","all");
// Create the initial context
try {
DirContext ctx = new InitialDirContext(env);
System.out.println("Is it binding..................");
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration results = ctx.search("", "(cn="+ uid +")", ctls);
SearchResult sr = (SearchResult)results.nextElement();
String dn = sr.getName();
//String mycon = ((SearchResult)answer.next()).getName();
System.out.println("DN" + dn);
// ... do something useful with ctx
if(dn != null) {
response.sendRedirect("index2.html");
ctx.close();
} catch (NamingException e) {
System.err.println("Problem getting attribute:" + e);
e.printStackTrace();
%>
I am trying to authenticate my users over SSL to e-directory, and HERE'S where i am totally lost(BTW i can connect to my LDAP directory without SSL. My Network adminsistrator has given me a certificate from the server called SSLMASTER.DER, which I tried install in file called CACERTS in java_home\jre\lib\security using keytool. An it seems like its there using keytool -list command.
and edited the server.xml:
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="8443"/>
<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/>
<!--<Parameter name="keystore" value="C:/jakarta-tomcat-3.2.4/conf/.keystore" />-->
<Parameter name="keystore" value="C:/j2sdk1.4.0/jre/lib/security/cacerts" />
<Parameter name="keypass" value="changeit"/>
<Parameter name="clientAuth" value="true"/>
</Connector>
Now I start re-start tomcat, and type in the following URL
http://localhost:8080/college_register/uk/ac/havering-college/index122.html, then i enter the username and password, when submitted it goes to the above java code or even if i do https://localhost:8443/college_register/uk/ac/havering-college/index122.html. I still get the error below.
javax.naming.CommunicationException: simple bind failed: 10.1.1.199:636. Root e
xception is javax.net.ssl.SSLHandshakeException: Couldn't find trusted certifica
te
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA62
75)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:385)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:309)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:168)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:263)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:76)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
62)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at javax.naming.directory.InitialDirContext.<init>
please tell me what else i need to do.Get a copy of your ldap server's public certificate. Use keytool to import (and create) that cert into a truststore. Configure the ssl props to use the new truststore.
-
EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility
Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
AndrewHard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub -
IdM SPE Ldap SSL operations hang
Hi all,
We're having a problem with IdM SPE hanging while doing LDAP operations over SSL. Has anyone encountered this before? We're under a tight deadline and any inputs/suggestions would automatically make the contributor my hero.
Description:
Our application is hanging when we try to use SPE's APIs to add some users to an LDAPS resource. We see these connections being logged in the LDAP logs, however binding never occurs. Instead these LDAP connections from SPE seem to sit until timeout.
Environment:
IdM 6.0 SPE SP1
AIX 5.2
J2RE 1.4.2 IBM AIX SP7
BEA WebLogic 8.1 SP5
SunOne Directory Server 5.2
Evaluation:
After a long period of time we see the following exception in our application logs:
javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java(Inlined Compiled Code))
at com.sun.jndi.ldap.Connection.readReply(Connection.java(Compiled Code))
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:357)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2657)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:307)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190)What we noticed is that LDAP connection (no SSL) seem to be okay. We have verified that connections can be made from our app server box to our LDAP server on the ssl port. We've also created a simple java servlet that makes LDAPS using JNDI and put this in the same container as IdM and this seems to connect okay as well. This seems to indicate that the hanging is not a SSL issue but an SPE one.
We do notice from examining the LDAP logs that the same connections are being used over and over. This is expected connection pooling behavior, but could this be an issue if we switch our connection from LDAP to LDAPs? Does the pool not get purged when we switch on SSL?Updated findings:
We were able to duplicate this on a windows sand box environment. Again it breaks when SPE tries to do an LDAPS operation. Here's what we figured out so far.
a.) Definately not a certificate issue
b.) Almost definately not a JDK/JCE/JSSE issue
c.) Definately not an LDAP issue
d.) Not an IdM 6.0 issue (Can provision users from IdM console)
e.) Not a connection pooling issue (Turned off pooling and it still hung)
f.) Not a network issue.
It seems at this stage that the problem stems from SPE, has anyone ever gotten SPE to work with LDAP over ssl? Any suggestions? -
Weblogic 8.1 and Novell LDAP SSL
Hi Everyone !
I'm having problems enabling SSL between Weblogic 8.1 and Novell LDAP. I have
the non-SSL working. All the BEA documentation I've found indicates that the SSL
Enabled checkbox needs to be checked and that's all. This can't be all because
I get the following errors.
Does anyone know how to solve this ?
Thanks,
Eddie
####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV> <mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-090169>
<Loading trusted certificates from the jks keystore file C:\bea8.1\WEBLOG~1\server\lib\DemoTrust.jks.>
####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV> <mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-090169>
<Loading trusted certificates from the jks keystore file C:\bea8.1\JDK141~1\jre\lib\security\cacerts.>
####<Oct 1, 2003 12:06:42 PM EDT> <Warning> <Security> <6X19DYSZH1ZV> <mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-090476>
<Invalid/unknown SSL header was received from peer NASTEA02 - 10.4.5.104 during
SSL handshake.>You need to configure the server SSL to trust the identity certificate it receives
from nastea02.bankofny.com If you want to use the default configuration you could
simply import the CA certificate that issued that identity certificate to the
DemoTrust.jks keystore.
Also, look at Using Host Name Verification here: http://edocs.bea.com/wls/docs81/secmanage/ssl.html#1187786
because this might be another reason why the certificate is rejected.
Pavel.
"Eddie Baue" <[email protected]> wrote:
>
Hi Everyone !
Please ignore the exceptions from my previous posting. I'm getting
a new exception,
which I've list below.
Thanks,
Eddie
####<Oct 1, 2003 2:47:20 PM EDT> <Warning> <Security> <6X19DYSZH1ZV>
<mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
<> <BEA-090477>
<Certificate chain received from nastea02.bankofny.com - 10.4.5.104 was
not trusted
causing SSL handshake failure.>
"Eddie Baue" <[email protected]> wrote:
Hi Everyone !
I'm having problems enabling SSL between Weblogic 8.1 and NovellLDAP.
I have
the non-SSL working. All the BEA documentation I've found indicatesthat
the SSL
Enabled checkbox needs to be checked and that's all. This can't beall
because
I get the following errors.
Does anyone know how to solve this ?
Thanks,
Eddie
####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV>
<mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
<> <BEA-090169>
<Loading trusted certificates from the jks keystore file C:\bea8.1\WEBLOG~1\server\lib\DemoTrust.jks.>
####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV>
<mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
<> <BEA-090169>
<Loading trusted certificates from the jks keystore file C:\bea8.1\JDK141~1\jre\lib\security\cacerts.>
####<Oct 1, 2003 12:06:42 PM EDT> <Warning> <Security> <6X19DYSZH1ZV>
<mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
<> <BEA-090476>
<Invalid/unknown SSL header was received from peer NASTEA02 - 10.4.5.104
during
SSL handshake.> -
IBM Websphere to ActiveDirectory ( Win 2003 ) LDAP SSL.
I am trying to connect to Win 2003 Ad LDAP from websphere Application server.
I have installed certificates Win2k in to local key store.
I used ikeyman of Websphere. Win 2k3 certificates were in .arm format ( thatz how Win2k3 admin gave me) . I succesfully installed the certificates in local keystore. and pointed to the keystoere when LDAP connection is happening.
I am getting a MalformedURLException canot parse url ldaps://xx.xx.x.x:636
Not an LDAP url .
At the same time i also tried with Sun JDK . it shows another error .
default context init failed: java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown k
ey spec: Invalid RSA modulus size.
Please help me . I want this program to run from IBM Websphere Env.
Please find my code below
thanks in advance.
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import java.io.*;
public class Test {
public static void main(String args[] ) {
//String userName = "CN=Renjith\\, Vasudevan";
String userName = null;
String test = ",OU=xx,OU=xx,DC=xx,DC=xxm";
String newPassword = "xxx";
String oldPassword = "xx";
Hashtable env = new Hashtable();
//Hard coded values - will be moved to properties file.
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//env.put(Context.PROVIDER_URL, "ldap://X.X.X.X:389");
env.put(Context.PROVIDER_URL, "ldaps://X.X.X.X:636");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
//env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "xxxx");
//env.put(Context.SECURITY_PROTOCOL,"ssl");
String keystore = "C:\\j2sdk1.4.2_04\\jre\\lib\\security\\cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
// This following code only for getting correct dn - Hardcoded dn had some tabbing/char problem.
// Renjith - begin
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] strAttributes = { "sAMAccountName", "memberOf" };
//String FILTER = "(&(objectClass=user))";
String FILTER = "(&(objectClass=user)(sAMAccountName=prrev))";
String searchBase = "OU=xx,OU=xx,DC=infores,DC=xx";
constraints.setReturningAttributes(strAttributes);
NamingEnumeration results =
ctx.search(searchBase, FILTER, constraints);
System.out.println("results : " + results);
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
String dn = sr.getName();
//String dn = ((Context)sr.getObject()).getNameInNamespace();
if(dn.indexOf("Renjith") != -1 ) {
System.out.println("Distinguised Name : " + dn);
//System.out.println("Charg"+dn.toCharArray());
userName = dn+test;
break;
// Renjith - end.
//set password is a ldap modify operation
ModificationItem[] mods = new ModificationItem[2];
String oldQuotedPassword = "\"" + oldPassword + "\"";
byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
String newQuotedPassword = "\"" + newPassword + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
new BasicAttribute("unicodePwd", oldUnicodePassword));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd",
newUnicodePassword));
System.out.println("Trying to reset Password for: " + userName);
// Perform the update
ctx.modifyAttributes(userName, mods);
System.out.println("Reset Password for: " + userName);
ctx.close();
catch (NamingException e) {
e.printStackTrace();
System.out.println("Problem resetting password: " + e);
catch (UnsupportedEncodingException e) {
System.out.println("Problem encoding password: " + e);
}The first error you described "malformed URL" is possibly due to the fact that your JRE version 1.4 does not support the ldaps URL.
If using 1.4 then you must use the following syntax:env.put(Context.PROVIDER_URL,"ldap://servername:636");If using 1.5, then it supports the syntax:env.put(Context.PROVIDER_URL,"ldaps://servername:636");I can't comment on the other error message you receive, however I am concerned at two things, one is that in your sample code you are using a "null" user name, and secondly, I have no idea what certificate you have installed. I do not recall seeing a Windows CA cert with the extension of .arm. Normally the Root CA exported trust cert has the extension of .cer -
Problems Running out of IDE (Netbeans) LDAP SSL
I am kind of new to Java and I have a problem with a code that is using a TrustStore. Basically if I run the code within Netbeans everything work but if I do the "Clean and Build" and execute the JAR file when I check my logger out when running out of the IDE I am getting the following exception.
Mar 06, 2015 9:40:58 AM ad_pass_reset.AD_Pass_reset INFO: Bind error: javax.naming.CommunicationException: WIN-A321J1VGM4K:636 [Root exception is java.lang.ExceptionInInitializerError]
Which is caused by this part
public AD_Pass_reset() {
Logger logger = Logger.getLogger("MyLog");
try {
Hashtable ldapEnv = new Hashtable();
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://" + serverIP + ":636");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PRINCIPAL, DAUser);
ldapEnv.put(Context.SECURITY_CREDENTIALS, DAPass);
ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
ldapContext = new InitialDirContext(ldapEnv);
catch (Exception e) {
logger.info("Bind error: " + e);
System.exit(-1);
And from what I have found the Bind error could be caused because the code is not able to use the Certificate, here is how I call the truststore
String keystore = "C:\\Program Files\\Java\\jre7\\lib\\security\\securitycacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
System.setProperty("javax.net.ssl.keyStorePassword", "12345!");
System.setProperty("javax.net.debug", "all");
I know that my LDAP is works with the SSL because I can connect using the LDP.exe and in fact if I run my application using netbeans everything works.
Does anybody know how to get around this?
Thank youI am kind of new to Java and I have a problem with a code that is using a TrustStore. Basically if I run the code within Netbeans everything work but if I do the "Clean and Build" and execute the JAR file when I check my logger out when running out of the IDE I am getting the following exception.
Mar 06, 2015 9:40:58 AM ad_pass_reset.AD_Pass_reset INFO: Bind error: javax.naming.CommunicationException: WIN-A321J1VGM4K:636 [Root exception is java.lang.ExceptionInInitializerError]
Which is caused by this part
public AD_Pass_reset() {
Logger logger = Logger.getLogger("MyLog");
try {
Hashtable ldapEnv = new Hashtable();
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://" + serverIP + ":636");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PRINCIPAL, DAUser);
ldapEnv.put(Context.SECURITY_CREDENTIALS, DAPass);
ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
ldapContext = new InitialDirContext(ldapEnv);
catch (Exception e) {
logger.info("Bind error: " + e);
System.exit(-1);
And from what I have found the Bind error could be caused because the code is not able to use the Certificate, here is how I call the truststore
String keystore = "C:\\Program Files\\Java\\jre7\\lib\\security\\securitycacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
System.setProperty("javax.net.ssl.keyStorePassword", "12345!");
System.setProperty("javax.net.debug", "all");
I know that my LDAP is works with the SSL because I can connect using the LDP.exe and in fact if I run my application using netbeans everything works.
Does anybody know how to get around this?
Thank you -
SSL CA Trust Store issue in Android 2.1
Here is one more reason Samsung/Verizon should push Android 2.2. Websites using SSL Certificates from some valid Certificate AUthorities are throwing SSL Certificate warnings when accessed via Android 2.1. This is because the CA Trust store in Android 2.1 is old and incomplete. It does not contain the full list of trusted CAs that are commonly found in regular desktop browsers like Safari, Chrome, FF and IE. Android 2.2 has a more updated and complete Trusted CA store.
Also, Android 2.1 does not have a published feature for importing CA Certificates (there are some manual workarounds for people who took their phone to the dentist). So, even if you had a valid reason to add a valid CA certificate from a company like Verisign or COMODO or your enterprise to your trust store, you can not do it. So, you have to get used to constantly accepting certificate warnings (which is a security risk in that you may inadvertenty accept a certificate signed by a really invalid/bad CA)
Is anyone aware of a fix for this issue? If not, does Verizon have any plans to address it?
ps: I do not want help for installing client certificates. These are not the same as CA certificates. Android can import client certificates from a URL or from an SD card using Settings->Locations&Security->Credential Storage section.[Edited to comply with Terms of Service]
They were talking about this
In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority (CA). A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA).
Digital certificates are verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA).
A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key of which is used to "sign" other certificates. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate - a signature by a root certificate is somewhat analogous to "notarizing" an identity in the physical world. Certificates further down the tree also depend on the trustworthiness of the intermediates (often known as "subordinate certification authorities").
Many software applications assume these root certificates are trustworthy on the user's behalf. For example, a Web browser uses them to verify identities within SSL/TLS secure connections. However, this implies that the user trusts their browser's publisher, the certificate authorities it trusts, and any intermediates the certificate authority may have issued a certificate-issuing-certificate, to faithfully verify the identity and intentions of all parties that own the certificates. This (transitive) trust in a root certificate is the usual case and is integral to the X.509 certificate chain model.
The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in the Internet browsers by their manufacturers -
Hello:
I try to connect IDM 6.0 SP1 wiht Sun Directory Server 5 (LDAP) using LDAP adapter. If i use non-secure port (389) it is OK and the connection work fine.
But if i try to use ssl port (636) i obtain error.
Directory Server is configure to work with both ports (389 and 636), it has enabled ssl and have a certificate (self-signed). Other aplication (ldap browser) can connect to ssl port without problem.
Is there another thing to do in machine running IDM? (for example, install the LDAP certificate) How i do this?
Both machines are Solaris 10 x86 and they are in same dns domain.
ThankTo connect to an SSL resource, you must have a certificate trust chain defined in the Java Virtual Machine in which the IDM is running. Not knowing what web server you are running IDM on, I must be general in my reply. You need to include the following system property definition in the java parameters for your JVM:
-Djavax.net.ssl.trustStore=<fully qualified path to a JKS keystore containing the trust chain for your self signed server cert>
e.g.
-Djavax.net.ssl.trustStore=/myapps/idm/truststore.jks
You can create the truststore using the keytool utility that comes with the Sun Java JDK (<JAVA_HOME>/bin/keytool) Hope this helps.
FYI - your browser queries to LDAP work because you have the trust chain stored in your browser certificate cache. -
Trusted CA Certificate Ignored When Connecting To Node Manager
I have a question about Node Manager.
I have the following configuration:
OS: Linux (CentOS 5.4) 32bit
Oracle WebLogic Server 11gR1 (10.3.2)
Portal, Forms, Reports and Discoverer (11.1.1.2.0) - only Forms and Reports are installed and configured
All configured components start successfuly, but I receive the following security related messages when I connect to Node Manager.
java -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=DemoTrust weblogic.WLST
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> nmConnect('weblogic', <weblogic password>, 'icweb001', '5556', <domain name>)
Connecting to Node Manager ...
<Nov 25, 2009 3:35:35 PM EST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Nov 25, 2009 3:35:35 PM EST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
Successfully Connected to Node Manager.
wls:/nm/DynaMed>I understand that the two BEA-090898 messages associated with the specified certificates are informational, but is there anything I can do to either,
1) correct the certificate so the messages are not generated, or
2) change my setup so that the messages are not displayed?
Thanks in advance for your help.The certificates at issue belong to the $JAVA_HOME keystore in weblogic
$JAVA_HOME/jre/lib/security/cacerts
ttelesecglobalrootclass3ca, Feb 10, 2009, trustedCertEntry,
ttelesecglobalrootclass2ca, Feb 10, 2009, trustedCertEntry,I was able to stop the warning messages from appearing when connecting to node manager, by removing these two certificates from the $JAVA_HOME/jre/lib/security/cacerts keystore.
cd $JAVA_HOME/jre/lib/security
cp -p cacerts cacerts.original
chmod 644 cacerts
keytool -delete -alias ttelesecglobalrootclass2ca -keystore cacerts
keytool -delete -alias ttelesecglobalrootclass3ca -keystore cacerts
chmod 444 cacerts cacerts.originalOnce the certs are removed from the keystore, the warning messages no longer appear when connecting to node manager.
Some additional information on these two certificates can be found at:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6803022Edited by: wblum on Feb 18, 2010 1:10 PM -
Hi!!
I tried to enable LDAPS and for that I created a standalone CA within my network. I made the certificate request as follows:
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=PDC.example.local"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
I have created a .req file
In the certmgr.msc I have downloaded de certificate chain. I have installed de cert from de standalone CA in Trusted Root Certificates and the cert from my Domain Controler in Personal.
I have reboot the DC but when checking with ldp.exe shows me the following error:
ld = ldap_sslinit ("192.168.1.8", 636, 1);
Error 0 = ldap_set_option (hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect (hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 192.168.1.8.
I followed all manuals and i cannot enable LDAPS, I need Help!!It seems the ldap client cannot connect to the dc on port 636
Make sure the port is allowed in firewall(s). Check if it is listening on the dc using netstat -an and check if you can connect to it using telnet <ip> <port>
MCP/MCSA/MCTS/MCITP -
We have a public SSL certificate that allows for Active Directory sync with LDAPS on port 636 with our email smart host. This was working fine and suddenly stopped working and we are now getting SChannel errors Event ID 36869. There were no changes made
to the Exchange server, the firewall or the DC which holds the certificate. I have run a new certreq from the DC and then re-keyed the public SSL certificate and re-installed 3 times but the error does not go away and AD Sync with the vendor
fails. When I run LDP.exe the connection on port 636 fails with "cannot open connection" and the system event log throws the S Channel event 36869 "The SSL server credential's certificate does
not have a private key information property attached to it" There is no software firewall set on the DC. When I run Certutil -VerifyStore MY it shows the current certificates as well as the revoked and expired certificates
correctly. Certificate 0 is the public cert and is listed with Server and Client authentication, the FQDN of the server is correct and "Certificate is Valid" is listed. The private cert is Certificate 1 and has server and client authentication, the
FQDN is correct, Private key is not exportable and it ends with Certificate is Valid. I do not see a point in re-keying the cert again until I figure out what the root of the problem is. I have read in some forums that the private cert should not be set to
expire after the public cert but that does not make a lot of sense when in a situation like this the private cert is of course newer than the public. In fact it is too early to renew the public cert. I have been troubleshooting this for a few days and at this
point I would have to drop my AD sync with the vendor to LDAP in order to add new users. I do not want to do that for obvious reasons and I do not want to have our spam filtering and email archive service running without Directory sync. Any help would be greatly
appreciated.Hi,
Have you tried this?
How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services
http://support.microsoft.com/kb/889651
Best Regards,
Amy
Maybe you are looking for
-
hi, Hello all, please help!! I used function BAPI_PO_CREATE1 to create PO with limit item but function returned message error '518 No account assignment exist for service line 0000000000'. Can anyone give me an idea to slove this problem? i am passin
-
How to download byte[] array, stored in database, as a file?
We use Spring framework to develop our online system. Users now can upload their files. Data is stored in PostrgreSQL DB and associated with byte[] type attribute of a java class (through Hibernate). How can I perfom invert operation - transform a by
-
Write and read txt files and catch the exceptions
hey everyone, im in a bit of a bind. im trying to set up this try catch statement. here is what i have for code so far. import java.util.Scanner; import java.io.*; public class Warning // Reads student data (name, semester hours, quality points
-
How to map search help dinamically to a context attribute
Hi, I need to map search help dynamically based on selection screen radio button, Please let me know how to map search help dinamically to a context attribute Best regards, Alleiah
-
Executable does not release serial port after being stopped
Greetings: I have created an executable that communicates through a serial port. However, if I stop the executable (not close it), the executable still has control over the COM port. This causes issues if I need to jump on Hyperterminal to send a c