Netscape Directory Server closes LDAPS connection during SSL handshake
I'm trying to bind to a NDS 6.2 LDAP server over SSL using the 1.4.2_03 JNDI LDAP provider,
but I can't get past the initial TSL handshake: it throws a "Remote host closed connection
during handshake" exception. The JSSE FAQ mentions this as likely a problem with
protocol incompatibilities (e.g. SSL3 vs. TLS1), but I can't seem to force the LDAP provider
to use an older protocol to investigate this further.
Here are the environment parameters I'm passing
java.naming.provider.url=ldap://ldaphost:636/o=foo,ou=bar
java.naming.security.principal=cn=foobar
java.naming.security.credentials=password
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.security.authentication=simple
java.naming.security.protocol=ssland the associated JSSE debug trace follows.
Any ideas? Do I need to create some custom socket factory to mess with protocols?
pch
================
keyStore is :
keyStore type is : jks
init keystore
init keymanager of type SunX509
trustStore is: C:\tools\jdk1.4.2\jre\lib\security\jssecacerts
trustStore type is : jks
init truststore
adding as trusted cert:
Subject: [email protected], CN=Petes Bait and Tackle Class Z CA, O=Petes Bait and Tackle, L=Falls Church, ST=Virginia, C=US
Issuer: [email protected], CN=Petes Bait and Tackle Class Z CA, O=Petes Bait and Tackle, L=Falls Church, ST=Virginia, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Thu Jun 24 13:24:27 EDT 2004 until Fri Jun 24 13:24:27 EDT 2005
init context
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1071325469 bytes = { 1, 25, 191, 168, 187, 165, 118, 46, 45, 64, 183, 165, 131, 120, 155, 107, 208, 170, 19, 80, 74, 234, 177, 118, 51, 83, 194, 158 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 40 DB 21 1D 01 19 BF A8 BB A5 ...E..@.!.......
0010: 76 2E 2D 40 B7 A5 83 78 9B 6B D0 AA 13 50 4A EA [email protected].
0020: B1 76 33 53 C2 9E 00 00 1E 00 04 00 05 00 2F 00 .v3S........../.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 01 00 .........
main, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 40 DB 21 1D 01 19 BF A8 BB A5 76 2E 2D 40 ..@.!.......v.-@
0050: B7 A5 83 78 9B 6B D0 AA 13 50 4A EA B1 76 33 53 ...x.k...PJ..v3S
0060: C2 9E ..
main, WRITE: SSLv2 client hello message, length = 98
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT: fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
My first suggestion is to find an log on de NDS server (maybe it states a reason for the closing the connection)
Otherwise use Ethereal to examen the trafic between the to machines. Maybe that helps.
Or check if the NDS wants 2-way authentication and is trying to get your certificate as wel.
Similar Messages
-
I have weblogic server 5.1.0 with the sp8 running on Windows NT server 4.0.
The weblogic server is configured to use LDAP realm (Netscape directory
server 4.12).
When I try to run weblogic server and I am getting the following errors:
The WebLogic Server did not start up properly.
Exception raised: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException: java.lang.ExceptionInInitialize
or: weblogic.security.ldaprealm.LDAPRealmException: cannot connect to ldapse
without a principal to authenticate as
at weblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
.java, Compiled Code)
at weblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
at weblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
java.lang.ExceptionInInitializerError: weblogic.security.ldaprealm.LDAPRealm
ption: cannot connect to ldapserver without a principal to authenticate as
at weblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
.java, Compiled Code)
at weblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
at weblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
And here is the my ldaprealm.properties file
netscape.server.host=localhost
netscape.server.port=389
netscape.server.ssl=false
netscape.server.principal=uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot
netscape.server.credential=password
netscape.user.dn=ou=People, o=towers.com
netscape.user.filter=(&(uid=%u)(objectclass=person))
netscape.group.dn=ou=Groups, o=towers.com
netscape.group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
netscape.membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquename
s))
By looking at the error message, it seems like the "server.principal" and
"server.credential" info is not correct.
But I was able to use the same Netscape Directory server with Welogic 5.1.0
with sp4, although the ldaprealm.properties file has somewhat different
format.
Did anyone have similar problems with sp8?
Thanks in advance for any suggestions.BEA support just gave me the solution.
They told me to uncomment out the line
server.alias=netscape
in the ldaprealm.properties file
And I am able to start weblogic with my NIS
Thanks
"Enrique" <[email protected]> wrote in message
news:[email protected]...
>
Hi,
Have you try to remove the "system" user on the LDAP server?
Regards.
"Honghai Zhang" <[email protected]> wrote:
I have weblogic server 5.1.0 with the sp8 running on Windows NT server
4.0.
The weblogic server is configured to use LDAP realm (Netscape directory
server 4.12).
When I try to run weblogic server and I am getting the following errors:***************************************************************************
The WebLogic Server did not start up properly.
Exception raised: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException:
java.lang.ExceptionInInitialize
or: weblogic.security.ldaprealm.LDAPRealmException: cannot connect toldapse
without a principal to authenticate as
atweblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
..java, Compiled Code)
atweblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
atweblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
java.lang.ExceptionInInitializerError:weblogic.security.ldaprealm.LDAPRealm
ption: cannot connect to ldapserver without a principal to authenticate
as
atweblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
..java, Compiled Code)
atweblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
atweblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)***************************************************************************
And here is the my ldaprealm.properties file////////////////////////////////////////////////////////////////////////////
netscape.server.host=localhost
netscape.server.port=389
netscape.server.ssl=false
netscape.server.principal=uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot
netscape.server.credential=password
netscape.user.dn=ou=People, o=towers.com
netscape.user.filter=(&(uid=%u)(objectclass=person))
netscape.group.dn=ou=Groups, o=towers.com
netscape.group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
netscape.membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquename
s))////////////////////////////////////////////////////////////////////////////
By looking at the error message, it seems like the "server.principal" and
"server.credential" info is not correct.
But I was able to use the same Netscape Directory server with Welogic5.1.0
with sp4, although the ldaprealm.properties file has somewhat different
format.
Did anyone have similar problems with sp8?
Thanks in advance for any suggestions. -
Setup connection factory and topic in Netscape Directory Server
I'm using Netscape Directory Server(NDS) and WLS5.1.
What should I setup in the NDS in order to lookup the connection
factory and topic in WLS?
ThanksMy first suggestion is to find an log on de NDS server (maybe it states a reason for the closing the connection)
Otherwise use Ethereal to examen the trafic between the to machines. Maybe that helps.
Or check if the NDS wants 2-way authentication and is trying to get your certificate as wel. -
Weblogic server 10.3.5 error during SSL handshake
Please some one help to figure the issue with following logs.
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 33092690>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 33095418>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <33092490 SSL Version data invalid>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Connection to SSL port from Sa-PC - 150.1.104.124 appears to be either unknown SSL version or maybe is plaintext>
<16-Jan-2013 18:40:40 o'clock GMT> <Warning> <Security> <BEA-090476> <Invalid/unknown SSL header was received from peer Sa-PC - 150.1.104.124 during SSL handshake.>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 70
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.ReadHandler.getProtocolVersion(Unknown Source)
at com.certicom.tls.record.ReadHandler.checkVersion(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33092490>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33092490>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 33092690>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <33095215 SSL Version data invalid>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Connection to SSL port from Sa-PC - 150.1.104.124 appears to be either unknown SSL version or maybe is plaintext>
<16-Jan-2013 18:40:40 o'clock GMT> <Warning> <Security> <BEA-090476> <Invalid/unknown SSL header was received from peer Sa-PC - 150.1.104.124 during SSL handshake.>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 70
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.ReadHandler.getProtocolVersion(Unknown Source)
at com.certicom.tls.record.ReadHandler.checkVersion(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33095215>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33095215>
<16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 33095418>
I just created domain with http and https ports. I installed an web app. When I am trying to access the app from browser through https the above error is occurring.
Please somebody help me.
Thanks in advance.
SKThis message indicates that the SSL connection is closed successfully. It is a warning message and normal to see in the logs when you enable the SSL debug flags. This is an expected behavior. If you see alerts when SSL debug is NOT ENABLED then it is a real alert and we need to take care of those issues. Also, it is not a real alert, it is a caught and handled exception from the certicom code which is not harmful and should be ignored, just because you have enabled the SSL debug flag. Once you turn it off, you won't see it in the logs.
Edited by: sharmela on Jan 22, 2013 4:55 AM -
Where to download "netscape directory server 4.11 or later"
Hi, there,
I just want to test some ldap functions on windows 2000. I find some guys said Netscape Directory Server 4.11 is a good choice. Where can I download a evaluation version? I can't find it on Netscape.
Thanks.Just go to www.iplanet.com
-
Unable to use a custom security realm with Netscape Directory Server in WebLogic 7
I have all users and groups stored in a Netscape LDAP server (version 4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic 7 (also run
on Solaris 8) which uses my LDAP server as the Authenticator. I tried this by
using the Admin Console and followed exactly the steps in Chapter 3 of the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged into the
Admin Console again and clicked the Users node under my custom realm, I saw this
message in the right-hand pane: "There are no Authentication providers available
that support the creation of Users". Also, I don't see my custom realm in the
dropdown list under mydomain -> Security tab -> General tab -> Default Realm.
What did I do wrong? Also, where does WebLogic store the custom security realm
info? It is definitely not in config.xml.
Thanks,
Eric MaThanks for the info.
I wonder when they will fix it.
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
>
According to BEA Tech Support, a known bug prevents the WLS 7 AdminConsole from
displying users and groups defined in Netscape Directory Server.
Eric Ma
"Jakub Wroniszewski" <[email protected]> wrote:
I have the same problem.
Any new ideas?
Rgds,
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
Now I doubt my custom security realm is actually using the NetscapeDirectory Server
as the authenticator. Unlike in WebLogic 6.1 Admin Console, whereclicking on
the Users node displays all users in the LDAP server, in WebLogic 7I keep
getting
the message "There are no Authentication providers available that
support
the
creation of Users." Any suggestions?
"Eric Ma" <[email protected]> wrote:
Never mind. I tried again by following the steps outlined at
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.deve
l
oper.interest.security&item=8463&utag=
and it seemed to have worked for me.
"Eric Ma" <[email protected]> wrote:
I have all users and groups stored in a Netscape LDAP server (version
4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic7
(also run
on Solaris 8) which uses my LDAP server as the Authenticator. I
tried
this by
using the Admin Console and followed exactly the steps in Chapter3
of
the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged
into the
Admin Console again and clicked the Users node under my custom realm,
I saw this
message in the right-hand pane: "There are no Authentication
providers
available
that support the creation of Users". Also, I don't see my customrealm
in the
dropdown list under mydomain -> Security tab -> General tab ->
Default
Realm.
What did I do wrong? Also, where does WebLogic store the customsecurity
realm
info? It is definitely not in config.xml.
Thanks,
Eric Ma -
EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve
We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
Thanks..Here are some configs you can try:
config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
save config -
Migrating Netscape Directory Server 4.1 to a new server
Hi,
In the current production environment, we are using Netscape Directory Server 4.1 as the authentication with Siebel CRM system. The server hardware is old and there is a need to refresh the server. As Netscape Directory Server is the only supported/ certified LDAP with embedded functionalities in Siebel Financial Services 6.0.2.300, we are planning to upgrade only the server hardware and migrate all the user information from old server and the new one, with Netscape Directory Server 4.1 remained.
I have studied the Netscape Directory Server 4.1 Deployment Guide and gone through the migration procedures, looks like the procedures are only applicable for migrating Netscape Directory Server to a newer version. There are no specific procedures mentioned for migrating Netscape Directory Server to the new server hardware with the same directory server version.
I am seeking for detailed procedures of migrating Netscape Directory Server 4.1 to a new server hardware with the same directory server. Anyone has done this migration before? I thank you in advance for your valuable feedback.
Sincerely,
JulieLuckily, I have the technical documentation in hand, which contains all the configuration of the current server. So I need to use "db2ldif" to export the data. I am currently testing on the migration by following these steps:
1. Install the new server.
2. Stop the Netscape Directory Server and Netscape Administration Server services in old server.
3. Copy the slapd-<server_name> folder from old server to a temp location of new server.
4. Take the old server offline.
5. Configure new server to have the exact configuration as the old server.
6. Backup the existing slapd-<server_name> folder in new server, copy the slapd-<server_name> folder from the temp location to C:\Netscape\Server4 directory of new server.
7. Start the Netscape Directory Server and Netscape Administration Server services in new server.
Will try out your suggested method. Thank you so much for your feedback.
Regards,
Julie -
Directory server and ldap TLS on windows platform
Any body, tested "sun directory server" and "ldap tls" on windows platform"??? cause I tried it, and I cant established a secure connection. On other platform, and I speack about solaris 9, evry thing is ok. Some comments??
It's a rather unusual way to use attribute subtypes. You may be able to do something with the mapping engine in DPS - I'll wait for Sylvain or someone else who knows DPS really well to answer that. But from the perspective of the information model, I have some doubts about this approach. For instance, what happens if you have multiple subtypes on a single-valued attribute?
Usually, for example, if there is a "preferred" common name as opposed to some other common names, it would be modeled in an entirely different attribute type, such as "preferredName". The subtypes are almost exclusively used for language specification nowadays. That's another question - what happens if you ever need to store multiple languages in your Directory?
Do you know of anyone else who is using this kind of information model in their Directory? -
Weblogic Integration with Netscape Directory Server - Help URGENT
Prashant,
Yes, I did. Did you copy the ldaprealm.properties to the same place as where
your weblogic.properties is located by default. The original sample file is
located in examples/....directory. After your changes are made copy the file
to c:/weblogic directory.
Hope this helps.
-Sunil .K
Prashanth <[email protected]> wrote in message
news:[email protected]...
Hi,
Can anyone who's tried using the LDAPRealm to talk to Netscape Directory
Server 4.1tell me exactly what are the steps that one needs to follow toset
this up:
1. Changes in the ldaprealm.properties file
2. Changes in the weblogic.properties file
3. Changes on NDS side, if any
Erorr I am getting:
Thu Jun 29 10:24:53 EDT 2000:<I> <System Props> weblogic.class.path =
d:\weblogi
c\lib\weblogic510sp3.jar;d:\weblogic\license;d:\weblogic\classes;d:\weblogic
\mys
erver\serverclasses;d:\weblogic\lib\weblogicaux.jar
Thu Jun 29 10:24:53 EDT 2000:<I> <System Props> weblogic.system.home =
d:\weblog
ic
Thu Jun 29 10:24:53 EDT 2000:<I> <WebLogicServer> Loaded License :
D:/weblogic/l
icense/WebLogicLicense.xml
Thu Jun 29 10:24:53 EDT 2000:<I> <WebLogicServer> Server loading from
weblogic.c
lass.path. EJB redeployment enabled.
java.io.FileNotFoundException: ldaprealm.properties (The system cannotfind
the
file specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java, Compiled
Code)
at
weblogic.security.internal.RealmProperties.getProperties(RealmPropert
ies.java:37)
at
weblogic.security.internal.RealmProperties.<init>(RealmProperties.jav
a:20)
at
weblogic.security.ldaprealm.LDAPDelegate.configureProps(LDAPDelegate.
java:78)
at
weblogic.security.ldaprealm.LDAPDelegate.<init>(LDAPDelegate.java:198
at weblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:35)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:79)
at weblogic.security.acl.Realm.getRealm(Realm.java:57)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1744)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:825)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
--------------- nested within: ------------------
weblogic.security.ldaprealm.LDAPException: ldaprealm.properties notfound -
with
nested exception:
[java.io.FileNotFoundException: ldaprealm.properties (The system cannot
find> the> file specified)
at
weblogic.security.ldaprealm.LDAPDelegate.configureProps(LDAPDelegate.
java:82)
at
weblogic.security.ldaprealm.LDAPDelegate.<init>(LDAPDelegate.java:198
at weblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:35)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:79)
at weblogic.security.acl.Realm.getRealm(Realm.java:57)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1744)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:825)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
The WebLogic Server did not start up properly.
Exception raised: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException: java.lang.IllegalAccessError:
weblo
gic.security.ldaprealm.LDAPException: ldaprealm.properties not found -with
nest
ed exception:
[java.io.FileNotFoundException: ldaprealm.properties (The system cannot
find> the> file specified)
at weblogic.security.acl.Realm.getRealm(Realm.java:86)
at weblogic.security.acl.Realm.getRealm(Realm.java:57)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1744)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:825)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
java.lang.IllegalAccessError: weblogic.security.ldaprealm.LDAPException:
ldaprea
lm.properties not found - with nested exception:
[java.io.FileNotFoundException: ldaprealm.properties (The system cannot
find> the> file specified)
at weblogic.security.acl.Realm.getRealm(Realm.java:86)
at weblogic.security.acl.Realm.getRealm(Realm.java:57)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1744)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:825)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
WebLogic Server terminated with an abnormal condition of 1
Hit return to continue...>>>>>>>>> -
Differences between SunONE, iPlanet and Netscape Directory Server
What are the differences between SunONE, iPlanet and Netscape Directory Server?
When I go to docs.sun.com - Products Categories, I saw that they've documentation regarding with SunONE, iPlanet, Netscape Directory Server listed under Directory Server.
I know that they're all different directory server, but is it one newer than other? If I'm not wrong, I assumed that Netscape transformed into iPlanet, and then from iPlanet, it transformed to SunONE. If that is the case, is that mean that all of it's console and how it works should be very similar?
Thanks!That is exactly what I thought.
so when people refer SunONE Directory Server 5.1, then that's mean iPlanet Directory Server 5.1, right?
Because I'm looking at Solaris 9's specification and it mentioned that it bundled with SunONE Directory Server 5.1.
Thanks for answering my question! :) -
Getting Server Admin to connect over SSL
According to the help provided with Server Admin:
"By default, Server Admin treats all communications with remote servers as encrypted
using SSL. This uses a self-signed 128-bit certificate installed in /etc/servermgrd/ssl.crt
when you install the server. Communications use HTTPS (port 311). If this option isn’t
possible, HTTP (port 687) is used and clear text is sent between Server Admin and the
remote server."
How do I know that Server Admin is connecting using SSL. I have port 311 open on my router and the server firewall, but when I connect to the server using the localhost name of the server, it saves the password in the keychain as "http://myserver.local".um... interesting
sudo lsof -i -P
should show you that servermgr is talking, who to, and on which port.
however on my 10.5.1 server, it does not show as connected. I checked on 10.4 servers and it works as expected. -
EAP-TLS or PEAP authentication failed during SSL handshake
Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
06/23/2010
17:39:51
Authen failed
000e.9b6e.e834
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1101
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Networ
06/23/2010
17:39:50
Authen failed
[email protected]
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1098
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Network
[email protected] = my windows active directory name
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
NAS-Port
NAS-IP-Address
Network Access Profile Name
Shared RAC
Downloadable ACL
System-Posture-Token
Application-Posture-Token
Reason
EAP Type
EAP Type Name
PEAP/EAP-FAST-Clear-Name
Access Device
Network Device Group
06/23/2010
17:30:49
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
06/23/2010
17:29:27
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
Let's brain storm together to figure out this guys.
Thanks in advance,
----Paul -
EAP-TLS or PEAP authentication failed during SSL handshake error
I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
Thanks for the helpMy experience suggests that the problem is the certificate.
I'm running ACS 3.3.
I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
Correctly following the instructions led to a successful connection and no more error message. -
Hi,
I am getting the "Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error during SSL handshake.
I am implementing SSL authentication in custom JCA adapter. I have the keypairs in the DEFAULT view in keystorage and the public key of server in services_ssl view. I am able to access the certificated by doing a looklup. Below is the implementation
KeystoreManager manager = (KeystoreManager)ctx.lookup("keystore");
trustKeyStore = manager.getKeystore("service_ssl");
keyStore = manager.getKeystore("DEFAULT);
KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
kmfactory.init(keyStore, null);
KeyManager[] kmanager= kmfactory.getKeyManagers();
TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
tmfactory.init(trustKeyStore);
TrustManager[] trustmanagers = tmfactory.getTrustManagers();
SSLContext sslcontext = SSLContext.getInstance("SSL");
sslcontext.init(keymanagers, trustManagers, null);
I am able to get the contents of DEFAULT view and services_ssl view. When i try to connect to the server using httpClient.executeMethod() i am getting the below.
Is this the correct way to initialize the SSL context? Any info on this will be really helpful.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:618)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:395)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
ThanksYou need to re-add the host using the mkhost command, that will rewrite the wallet for you.
Thanks
Rich
Maybe you are looking for
-
In our application we have CV Builder and after submit we want to show in pdf format.
In our application we have CV Builder and after submit we want to show in pdf format. this is html page and we want to create pdf after click on Submit. Please provide Solution as soon as possible.
-
Inappropriate mouse event coordinates in the WebKit of HTMLLoader/StageWebView
Hi, We have a desktp application which incorporates an HTMLRichTextEditor (implemented in HTML/JS and loaded into AIR). We have run into a big problem with text selection though. It seems that the both the HTMLLoader and the StageWebView are passing
-
One Temp Tablespace vs 2 Temp Tablespaces in a Group
I run a massive group by that generally takes up about 325GB of temp and on the system that it works on I have 1 tablespace this size that it works on, but I'm building a new system that has my Temp tablespaces on much faster disks, but I was trying
-
How do get back to 7.2 from 7.3.1
Hi all,First time post. I as well hate the new 7.3.1 they way the albums are listed is horrible. I want to go back to the world of 7.2. I wish I had read the posts before i updated. I tried to convert. I went to my H.D. Library/and moved I tunes to t
-
Hi, I have a security scenario I am hoping someone can me help with. Right now a user is authorized to "Sales Office" 100 only. In the below scenario I need the user to be able to: 1. See Transactions where the "Sales Office" is 100 2. See Transacti