OBI LDAP SSL
Hi all,
I'm trying to to log in OBI by a LDAP using SSL.We can log using LDAP, we configure everything in Administration Tool and it works fine. But when we mark the SSL option it doesn't work. the error is: image .
How can i solve this error? Where can i find documentation to solve it?
Thanks in advance
Hi again,
It's only an error produced when you push 'Test' button, but then works fine!
Thanks
Edited by: Julius84 on 17-jun-2010 0:24
Similar Messages
-
EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility
Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
AndrewHard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub -
Convergence with LDAP SSL Failure
Hello,
I'm now having a problem securing connections between Convergence and my LDAP server.
Once I set it in iwcadmin, ugldap.enablessl to true and change the port to 636, the following error occurs and convergence just couldn't authenticate.
server.log in Glassfish 2.1.1, enterprise profile using NSS keystore
[#|2010-11-12T20:17:15.208+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|LDAPS:Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values|#]
[#|2010-11-12T20:17:15.209+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap.LDAPSingleHostPool|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|buildConnection: got LDAPException while connecting to Pool number:0. Host=<ldaphost> :netscape.ldap.LDAPException: Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values (91)|#]
HTTP SSL connections to Webmail server and calendar servers are fine. I tried deploying the same configuration using developer profile with JKS keystore, the SSL authentication goes through then, but I need clustering for high availability.
Does anyone have any ideas?
Thanks so much in advance!
MathewHard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub -
LDAP SSL requirement and setup
Can someone point me the direction on setting up LDAP SSL in Apex 2.2?
Is there any documentation available? Thank you.I have same request. Only information i could find was here: LDAP Authentication Failed
-
I am putting an rodc on the DMX in a separate forest than the internal network
On the DMZ, I have a Read/write 2012 DC in 2008R2 mode. Then I added a RODC in the same DMZ forest.
I want to open up 636 to the RODC from the public for ldap ssl.
Is this ok? How would I go about setting up the ldap ssl over the public internet? I guess I will need a public certHello,
maybe you can describe the reason which requires LDAP over SSL access?
In the meanwhile see
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
You can also work with self-signed certificates
http://gregtechnobabble.blogspot.de/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html
It depends on the service/application requirement.
We use for example an external access to our network but work with self-signed certificates for password change if accounts are required to change the password.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
How to configure LDAP SSL using auto login wallet?
Hello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno LavoieHello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno Lavoie -
Hello:
I try to connect IDM 6.0 SP1 wiht Sun Directory Server 5 (LDAP) using LDAP adapter. If i use non-secure port (389) it is OK and the connection work fine.
But if i try to use ssl port (636) i obtain error.
Directory Server is configure to work with both ports (389 and 636), it has enabled ssl and have a certificate (self-signed). Other aplication (ldap browser) can connect to ssl port without problem.
Is there another thing to do in machine running IDM? (for example, install the LDAP certificate) How i do this?
Both machines are Solaris 10 x86 and they are in same dns domain.
ThankTo connect to an SSL resource, you must have a certificate trust chain defined in the Java Virtual Machine in which the IDM is running. Not knowing what web server you are running IDM on, I must be general in my reply. You need to include the following system property definition in the java parameters for your JVM:
-Djavax.net.ssl.trustStore=<fully qualified path to a JKS keystore containing the trust chain for your self signed server cert>
e.g.
-Djavax.net.ssl.trustStore=/myapps/idm/truststore.jks
You can create the truststore using the keytool utility that comes with the Sun Java JDK (<JAVA_HOME>/bin/keytool) Hope this helps.
FYI - your browser queries to LDAP work because you have the trust chain stored in your browser certificate cache. -
LDAP + SSL + tomcat- Please help!
Please help I searched the whole site, i m new to JNDI, Security and E-directory, all I got was confusion, and lots of exception.
Here's my problem, I trying to run a web application on tomcat web server. I have a login.html, for users to login to my application. Currently all username and password are stored Novell e-directory. Currently I have the following Code.
<%@page import="javax.naming.*"%>
<%@page import="javax.naming.directory.*"%>
<%@page import="java.util.*"%>
<%@page import=" java.lang.*"%>
<%@page import="java.security.*"%>
<%
String uid = request.getParameter("user");
// Set up the environment for creating the initial context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://10.1.1.199:636/o=hcfhe");
env.put(Context.SECURITY_PRINCIPAL, "cn=ldapbrowse, ou=it, o=hcfhe");
env.put(Context.SECURITY_CREDENTIALS, "ldapbrowse");
env.put(Context.SECURITY_PROTOCOL,"ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put("java.naming.ldap.factory.socket","javax.net.ssl.SSLSocketFactory");
env.put("java.naming.ldap.version","3");
System.setProperty("javax.net.ssl.keyStore", "c://j2sdk1.4.0//jre//lib//security//cacerts");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", "c://j2sdk1.4.0//jre//lib//security//cacerts");
System.setProperty("javax.net.debug","all");
// Create the initial context
try {
DirContext ctx = new InitialDirContext(env);
System.out.println("Is it binding..................");
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration results = ctx.search("", "(cn="+ uid +")", ctls);
SearchResult sr = (SearchResult)results.nextElement();
String dn = sr.getName();
//String mycon = ((SearchResult)answer.next()).getName();
System.out.println("DN" + dn);
// ... do something useful with ctx
if(dn != null) {
response.sendRedirect("index2.html");
ctx.close();
} catch (NamingException e) {
System.err.println("Problem getting attribute:" + e);
e.printStackTrace();
%>
I am trying to authenticate my users over SSL to e-directory, and HERE'S where i am totally lost(BTW i can connect to my LDAP directory without SSL. My Network adminsistrator has given me a certificate from the server called SSLMASTER.DER, which I tried install in file called CACERTS in java_home\jre\lib\security using keytool. An it seems like its there using keytool -list command.
and edited the server.xml:
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="8443"/>
<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/>
<!--<Parameter name="keystore" value="C:/jakarta-tomcat-3.2.4/conf/.keystore" />-->
<Parameter name="keystore" value="C:/j2sdk1.4.0/jre/lib/security/cacerts" />
<Parameter name="keypass" value="changeit"/>
<Parameter name="clientAuth" value="true"/>
</Connector>
Now I start re-start tomcat, and type in the following URL
http://localhost:8080/college_register/uk/ac/havering-college/index122.html, then i enter the username and password, when submitted it goes to the above java code or even if i do https://localhost:8443/college_register/uk/ac/havering-college/index122.html. I still get the error below.
javax.naming.CommunicationException: simple bind failed: 10.1.1.199:636. Root e
xception is javax.net.ssl.SSLHandshakeException: Couldn't find trusted certifica
te
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA62
75)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:385)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:309)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:168)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:263)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:76)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
62)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at javax.naming.directory.InitialDirContext.<init>
please tell me what else i need to do.Get a copy of your ldap server's public certificate. Use keytool to import (and create) that cert into a truststore. Configure the ssl props to use the new truststore.
-
IdM SPE Ldap SSL operations hang
Hi all,
We're having a problem with IdM SPE hanging while doing LDAP operations over SSL. Has anyone encountered this before? We're under a tight deadline and any inputs/suggestions would automatically make the contributor my hero.
Description:
Our application is hanging when we try to use SPE's APIs to add some users to an LDAPS resource. We see these connections being logged in the LDAP logs, however binding never occurs. Instead these LDAP connections from SPE seem to sit until timeout.
Environment:
IdM 6.0 SPE SP1
AIX 5.2
J2RE 1.4.2 IBM AIX SP7
BEA WebLogic 8.1 SP5
SunOne Directory Server 5.2
Evaluation:
After a long period of time we see the following exception in our application logs:
javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java(Inlined Compiled Code))
at com.sun.jndi.ldap.Connection.readReply(Connection.java(Compiled Code))
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:357)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2657)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:307)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190)What we noticed is that LDAP connection (no SSL) seem to be okay. We have verified that connections can be made from our app server box to our LDAP server on the ssl port. We've also created a simple java servlet that makes LDAPS using JNDI and put this in the same container as IdM and this seems to connect okay as well. This seems to indicate that the hanging is not a SSL issue but an SPE one.
We do notice from examining the LDAP logs that the same connections are being used over and over. This is expected connection pooling behavior, but could this be an issue if we switch our connection from LDAP to LDAPs? Does the pool not get purged when we switch on SSL?Updated findings:
We were able to duplicate this on a windows sand box environment. Again it breaks when SPE tries to do an LDAPS operation. Here's what we figured out so far.
a.) Definately not a certificate issue
b.) Almost definately not a JDK/JCE/JSSE issue
c.) Definately not an LDAP issue
d.) Not an IdM 6.0 issue (Can provision users from IdM console)
e.) Not a connection pooling issue (Turned off pooling and it still hung)
f.) Not a network issue.
It seems at this stage that the problem stems from SPE, has anyone ever gotten SPE to work with LDAP over ssl? Any suggestions? -
I am unable to get SSL or Secure LDAP connection to work.
These are my settings for Directory-service:
name: TEST
description: TEST
login-prefix: TEST
type: GenericLdap
last-sync: (no value)
last-sync-error: The server is not operational.
users: (no value)
groups: (no value)
Connection settings
host: ldap.xon-ionx.****.se
port: 636
top-directory: ou=USER_CONTAINER,o=ROOT
binding-type: Secure
synchronization-account: cn=ZAV_User,ou=external,o=ROOT
password: ********
Schema settings
user-filter: (objectClass=inetOrgPerson)
user-class: inetOrgPerson
user-login-name: cn
user-first-name:
user-last-name:
user-full-name: cn
group-filter: (objectClass=groupOfNames)
group-class: groupOfNames
group-name: cn
group-description: description
group-members: member
Message from server is not saying much: Not synchronized (error: The server is not operational.)
Debug log output as follows:
05-07-2013 08:47:09.9960 - Critical - 0x0C5C: Directory service TEST could not be completely synced. Connection settings: host ldap.xon-ionx.****.se, port 636, top ou=USER_CONTAINER,o=ROOT, user cn=ZAV_User,ou=external,o=ROOT, type Secure, ufilter (objectClass=inetOrgPerson), uclass inetOrgPerson, uuname cn, ufname , ulname , uflname cn, gfilter (objectClass=groupOfNames), gclass groupOfNames, gdescription description, gmembership member
The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
at System.DirectoryServices.DirectorySearcher.FindAll (Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll ()
at Spoon.Server.Common.Data.Library.DirectoryService. _SyncNode(LibraryDataContext dc, DirectoryServiceNode dsn, Dictionary`2 dictUsers, Dictionary`2 dictGroups, Dictionary`2 dictUsersToInclude, Dictionary`2 dictGroupsToInclude, Int32& iUsersAdded, Int32& iGroupsAdded)
at Spoon.Server.Common.Data.Library.DirectoryService. Sync()
/MathiasDo other binding options function as expected (Simple, Anonymous)? I'm also working on setting up a test environment to try and reproduce this. If I find something that can help, I'll update the thread.
The support team could open a proper ticket with Spoon about this, but it requires that you open an SR first. -
App Server 8.0 LDAP SSL Problems
Hello,
I have been able to get the following java code to connect to an LDAP server to work in a servlet (within a j2ee-module) under the Sun J2EE application server 8.0 when I am connecting to a non-ssl LDAP server:
LDAPConnection conn = new LDAPConnection();
conn.connect(ldap_host, Integer.parseInt(ldap_port));
StringBuffer sb = new StringBuffer("uid=");
sb.append(cuid).append(",").append(ldap_base);
String dn = sb.toString();
conn.authenticate(3, dn, password);
I have been having a bear of the time implementing the same thing but with SSL by changing the host and port to a SSL LDAP instance and substituting the following code:
LDAPConnection conn new LDAPConnection();
JSSESocketFactory jssf = new netscape.ldap.factory.JSSESocketFactory(null);
conn = new LDAPConnection(jssf);
I have used the following command to insert the cert from the LDAP server into the keystore:
keytool -import -trustcacerts -alias <ca-cert-alias> -file <cert>
I have also tried to inject the cert into the cacerts file found under the SUNWappserver/domains/domain1/config/cacerts.jks file directly using keytool.
No matter what I do, when the SSL version of the code is executed I get the following exception:
[#|2004-07-14T13:59:40.372-0400|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removed for security purposes>.doPost:
Uncaptured Exception: JSSESocketFactory.makeSocket <host and port removed for security purposes>, Default SSL context init failed: Cannot recover key|#]
[#|2004-07-14T13:59:40.374-0400|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removed for security purposes>.doPost:
netscape.ldap.LDAPException: JSSESocketFactory.makeSocket <host and port removed for security purposes>, Default SSL context init failed: Cannot recover key (91)
at netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSESocketFactory.java:111)
at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:509)
at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:435)
at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:274)
at netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnSetupMgr.java:199)
at netscape.ldap.LDAPConnThread.connect(LDAPConnThread.java:109)
at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1067)
at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:938)
at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:781)
at com.qwest.nts.portal.LdapHelper.authenticate(LdapHelper.java:51)
at com.qwest.nts.portal.servlet.PortalServlet.doPost(PortalServlet.java:68)
at com.qwest.nts.portal.servlet.BaseServlet.doGet(BaseServlet.java:50)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:748)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:861)
at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:246)
at java.security.AccessController.doPrivileged(Native Method)
Am I missing something here? What does one need to do to get the Sun application server to enable SSL connections to an LDAP server? I am a bit confused what keystore to use since there are numerous copies of cacerts.jks and keystore.jks among both the application server config files and the jdk/jre config files found under SUNWappserver.
I attempted to see debug messages by adding -Djavax.net.debug=all directly to the java command found in the startserv script for this web appliaction. I am not sure if this is the correct way to set system parameters when using the J2EE Sun application server, but it should work, no? When I do this I don't see any additional messages in the server's log file found at /SUNWappserver/domains/domain1/logs/server.log. All I see is System.out.println's from the java code and the exception.
Thanks in advance for any help.
- DanHarpreet,
Thanks for the reply. Yes I do just want to authenticate to the LDAP server from some code in my servlet. It is working against a non-ssl server right now. I guess I am not using the LDAPRealm that the appserver provides because I didn't now about it. I just pulled working LDAP code from another project (written for weblogic). As I said before all is working fine against the non-ssl server, however, I need to authenticate against a SSL server. As for your other question, why am I using JSSESocketFactory, I don't have a good answer. The application I am using as an example around here uses ldapsdk.jar. Are you saying that these LDAP classes are already built in?
Thanks
- Dan
Hi Dan
A couple of questions that will help me understand
this better.
1. It seems you just want to authenticate to the LDAP
server
from some code in your servlet - is that right?
(On a side note: why dont you use the LDAPRealm that
the appserver
provides? It currently does not perform SSL
authentication but that is
something we are looking at). This way you dont end up
reinventing the wheel.
2. Any particular reasons on not using J2SE Security
factory classes
(Since you use netscape JSSESocketFactory - you will
have to use
Netscape provided flags to see what is going on over
the wire). That
is the reason javax.net.debug flags are not showing
any useful output.
PS: javax.net.debug=ssl should suffice
Some comments and clarifications:
The truststore that you should bother about - is the
one under
domains/domain_name_of_the_domain_u_use/cacerts.jks.
Cacerts.jks has your imported(trusted certs) while
keystore.jks has
your server private keys and certificates.
(more info @
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security
.html#wp142440)
There has been a relevant thread that you may look at
http://forum.java.sun.com/thread.jsp?forum=136&thread=5
1519
Hope that helps
- Regards
Harpreet
I have been able to get the following java code to
connect to an LDAP server to work in a servlet(within
a j2ee-module) under the Sun J2EE applicationserver
8.0 when I am connecting to a non-ssl LDAP server:
LDAPConnection conn = new LDAPConnection();
conn.connect(ldap_host,Integer.parseInt(ldap_port));
StringBuffer sb = new StringBuffer("uid=");
sb.append(cuid).append(",").append(ldap_base);
String dn = sb.toString();
conn.authenticate(3, dn, password);
I have been having a bear of the time implementingthe
same thing but with SSL by changing the host andport
to a SSL LDAP instance and substituting thefollowing
code:
LDAPConnection conn new LDAPConnection();
JSSESocketFactory jssf = new
netscape.ldap.factory.JSSESocketFactory(null);
conn = new LDAPConnection(jssf);
I have used the following command to insert the cert
from the LDAP server into the keystore:
keytool -import -trustcacerts -alias <ca-cert-alias>
-file <cert>
I have also tried to inject the cert into thecacerts
file found under the
SUNWappserver/domains/domain1/config/cacerts.jksfile
directly using keytool.
No matter what I do, when the SSL version of thecode
is executed I get the following exception:
[#|2004-07-14T13:59:40.372-0400|INFO|sun-appserver-pe8.
>
.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removedfor
security purposes>.doPost:
Uncaptured Exception: JSSESocketFactory.makeSocket
<host and port removed for security purposes>,Default
SSL context init failed: Cannot recover key|#]
[#|2004-07-14T13:59:40.374-0400|INFO|sun-appserver-pe8.
>
.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removedfor
security purposes>.doPost:
netscape.ldap.LDAPException:
JSSESocketFactory.makeSocket <host and port removed
for security purposes>, Default SSL context init
failed: Cannot recover key (91)
at
netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSE
ocketFactory.java:111)
at
netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSe
upMgr.java:509)
at
netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetup
gr.java:435)
at
netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr
java:274)
at
netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnS
tupMgr.java:199)
at
netscape.ldap.LDAPConnThread.connect(LDAPConnThread.jav
:109)
at
netscape.ldap.LDAPConnection.connect(LDAPConnection.jav
:1067)
at
netscape.ldap.LDAPConnection.connect(LDAPConnection.jav
:938)
at
netscape.ldap.LDAPConnection.connect(LDAPConnection.jav
:781)
at
com.qwest.nts.portal.LdapHelper.authenticate(LdapHelper
java:51)
at
com.qwest.nts.portal.servlet.PortalServlet.doPost(Porta
Servlet.java:68)
at
com.qwest.nts.portal.servlet.BaseServlet.doGet(BaseServ
et.java:50)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java
748)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java
861)
at
sun.reflect.GeneratedMethodAccessor68.invoke(Unknown
Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegat
ngMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.apache.catalina.security.SecurityUtil$1.run(Securit
Util.java:246)
atjava.security.AccessController.doPrivileged(Native
Method)
Am I missing something here? What does one need todo
to get the Sun application server to enable SSL
connections to an LDAP server? I am a bit confused
what keystore to use since there are numerous copies
of cacerts.jks and keystore.jks among both the
application server config files and the jdk/jreconfig
files found under SUNWappserver.
I attempted to see debug messages by adding
-Djavax.net.debug=all directly to the java command
found in the startserv script for this web
appliaction. I am not sure if this is the correctway
to set system parameters when using the J2EE Sun
application server, but it should work, no? When Ido
this I don't see any additional messages in the
server's log file found at
/SUNWappserver/domains/domain1/logs/server.log. AllI
see is System.out.println's from the java code andthe
exception.
Thanks in advance for any help.
- Dan -
LDAP SSL - ways to provide trust store/key store details.
In our application we need to talk to LDAP over ssl.
We are using following to create ldapContext
System.setProperty ( "javax.net.ssl.trustStore",
tStoreFile.getAbsolutePath() );
System.setProperty ( "javax.net.ssl.keyStore",
keyStoreFile.getAbsolutePath() );
System.setProperty ( "javax.net.ssl.keyStorePassword", kspasswd );
System.setProperty ( "javax.net.ssl.trustStorePassword", tspasswd );
LdapContext ctx = new InitialLdapContext(env, null);is there any other way to provide Key/Trust store details?
Thanksof course : http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization
-
Weblogic 8.1 and Novell LDAP SSL
Hi Everyone !
I'm having problems enabling SSL between Weblogic 8.1 and Novell LDAP. I have
the non-SSL working. All the BEA documentation I've found indicates that the SSL
Enabled checkbox needs to be checked and that's all. This can't be all because
I get the following errors.
Does anyone know how to solve this ?
Thanks,
Eddie
####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV> <mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-090169>
<Loading trusted certificates from the jks keystore file C:\bea8.1\WEBLOG~1\server\lib\DemoTrust.jks.>
####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV> <mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-090169>
<Loading trusted certificates from the jks keystore file C:\bea8.1\JDK141~1\jre\lib\security\cacerts.>
####<Oct 1, 2003 12:06:42 PM EDT> <Warning> <Security> <6X19DYSZH1ZV> <mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-090476>
<Invalid/unknown SSL header was received from peer NASTEA02 - 10.4.5.104 during
SSL handshake.>You need to configure the server SSL to trust the identity certificate it receives
from nastea02.bankofny.com If you want to use the default configuration you could
simply import the CA certificate that issued that identity certificate to the
DemoTrust.jks keystore.
Also, look at Using Host Name Verification here: http://edocs.bea.com/wls/docs81/secmanage/ssl.html#1187786
because this might be another reason why the certificate is rejected.
Pavel.
"Eddie Baue" <[email protected]> wrote:
>
Hi Everyone !
Please ignore the exceptions from my previous posting. I'm getting
a new exception,
which I've list below.
Thanks,
Eddie
####<Oct 1, 2003 2:47:20 PM EDT> <Warning> <Security> <6X19DYSZH1ZV>
<mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
<> <BEA-090477>
<Certificate chain received from nastea02.bankofny.com - 10.4.5.104 was
not trusted
causing SSL handshake failure.>
"Eddie Baue" <[email protected]> wrote:
Hi Everyone !
I'm having problems enabling SSL between Weblogic 8.1 and NovellLDAP.
I have
the non-SSL working. All the BEA documentation I've found indicatesthat
the SSL
Enabled checkbox needs to be checked and that's all. This can't beall
because
I get the following errors.
Does anyone know how to solve this ?
Thanks,
Eddie
####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV>
<mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
<> <BEA-090169>
<Loading trusted certificates from the jks keystore file C:\bea8.1\WEBLOG~1\server\lib\DemoTrust.jks.>
####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV>
<mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
<> <BEA-090169>
<Loading trusted certificates from the jks keystore file C:\bea8.1\JDK141~1\jre\lib\security\cacerts.>
####<Oct 1, 2003 12:06:42 PM EDT> <Warning> <Security> <6X19DYSZH1ZV>
<mytest>
<ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
<> <BEA-090476>
<Invalid/unknown SSL header was received from peer NASTEA02 - 10.4.5.104
during
SSL handshake.> -
IBM Websphere to ActiveDirectory ( Win 2003 ) LDAP SSL.
I am trying to connect to Win 2003 Ad LDAP from websphere Application server.
I have installed certificates Win2k in to local key store.
I used ikeyman of Websphere. Win 2k3 certificates were in .arm format ( thatz how Win2k3 admin gave me) . I succesfully installed the certificates in local keystore. and pointed to the keystoere when LDAP connection is happening.
I am getting a MalformedURLException canot parse url ldaps://xx.xx.x.x:636
Not an LDAP url .
At the same time i also tried with Sun JDK . it shows another error .
default context init failed: java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown k
ey spec: Invalid RSA modulus size.
Please help me . I want this program to run from IBM Websphere Env.
Please find my code below
thanks in advance.
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import java.io.*;
public class Test {
public static void main(String args[] ) {
//String userName = "CN=Renjith\\, Vasudevan";
String userName = null;
String test = ",OU=xx,OU=xx,DC=xx,DC=xxm";
String newPassword = "xxx";
String oldPassword = "xx";
Hashtable env = new Hashtable();
//Hard coded values - will be moved to properties file.
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//env.put(Context.PROVIDER_URL, "ldap://X.X.X.X:389");
env.put(Context.PROVIDER_URL, "ldaps://X.X.X.X:636");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
//env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "xxxx");
//env.put(Context.SECURITY_PROTOCOL,"ssl");
String keystore = "C:\\j2sdk1.4.2_04\\jre\\lib\\security\\cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
// This following code only for getting correct dn - Hardcoded dn had some tabbing/char problem.
// Renjith - begin
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] strAttributes = { "sAMAccountName", "memberOf" };
//String FILTER = "(&(objectClass=user))";
String FILTER = "(&(objectClass=user)(sAMAccountName=prrev))";
String searchBase = "OU=xx,OU=xx,DC=infores,DC=xx";
constraints.setReturningAttributes(strAttributes);
NamingEnumeration results =
ctx.search(searchBase, FILTER, constraints);
System.out.println("results : " + results);
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
String dn = sr.getName();
//String dn = ((Context)sr.getObject()).getNameInNamespace();
if(dn.indexOf("Renjith") != -1 ) {
System.out.println("Distinguised Name : " + dn);
//System.out.println("Charg"+dn.toCharArray());
userName = dn+test;
break;
// Renjith - end.
//set password is a ldap modify operation
ModificationItem[] mods = new ModificationItem[2];
String oldQuotedPassword = "\"" + oldPassword + "\"";
byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
String newQuotedPassword = "\"" + newPassword + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
new BasicAttribute("unicodePwd", oldUnicodePassword));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd",
newUnicodePassword));
System.out.println("Trying to reset Password for: " + userName);
// Perform the update
ctx.modifyAttributes(userName, mods);
System.out.println("Reset Password for: " + userName);
ctx.close();
catch (NamingException e) {
e.printStackTrace();
System.out.println("Problem resetting password: " + e);
catch (UnsupportedEncodingException e) {
System.out.println("Problem encoding password: " + e);
}The first error you described "malformed URL" is possibly due to the fact that your JRE version 1.4 does not support the ldaps URL.
If using 1.4 then you must use the following syntax:env.put(Context.PROVIDER_URL,"ldap://servername:636");If using 1.5, then it supports the syntax:env.put(Context.PROVIDER_URL,"ldaps://servername:636");I can't comment on the other error message you receive, however I am concerned at two things, one is that in your sample code you are using a "null" user name, and secondly, I have no idea what certificate you have installed. I do not recall seeing a Windows CA cert with the extension of .arm. Normally the Root CA exported trust cert has the extension of .cer -
JNDI :: LDAP :: SSL :: howto trust all certificates
hi @ all,
currently i'm writing a jndi ldap wrapper java package which is intended to capsulate all the jndi stuff for the user of it so he only need to configure it's settings through a xml configuration file.
now i'm on the point that i want to enable this package to communicate through a ssl secured connection. therefore i'v got two questions.
first:
how can i specify a keystore file other than the default jre keystore file to be used by jndi when connecting to the directory server through ssl?
second:
i do not like the default behaviour of the jsse which forces me and in fact all the future users of the package to having importet the server's certificate to such a keystore. i think this is not nice cause i want to enable my application to connect to the server independent to the certifacte it uses. it there any way to get the jndi (i think jsse in fact) to accept every certificate the server uses?
it would be nice if someone could help me with this questions 'cause i did not get it working up to now.
thx in advance
dialscmorning,
meanwhile i was able to answer the first question by my selfe.
here's the answer:
create a keystore with the following instruction:
keytool -import -file server_cert.cer -keystore jssecacertsthan tell java to use the individual keystore with the following statement (before creating the DirContext):
System.setProperty("javax.net.ssl.trustStore", "/path/to/the/individual/keystore/file/myKeystoreFile");that's it. now the ssl connection should work.
but what about my second question. can anyone give a answer for it, please?
regards
dialsc
Maybe you are looking for
-
"An unknown error has occurred (-120)"
I have been having a lot of trouble with the "An unknown error has occurred" thing for three days now, and I'm freaking out. First, it started with the (-50) error message. I found that topic and the answer, and I attempted it, but then I tried to op
-
Searching with in a SharePoint 2013 Document Library
Hi, i want to search document library by passing values from Search box to Search Results webpart. I m not able to search with in the document library although i have configured content source and result sources. With Regards, Jaskaran Singh
-
Using DLL functions created with LabVIEW 6i in CVI 4.0.1
I want use SQL functions from LabVIEW 6i in LabWindows/CVI 4.0.1. Building DLL with this LabVIEW-functions was succesfull, but after using DLL in CVI project and run, error message was generated: FATAL ERROR : LABVIEW.LIB was not called from a LabVIE
-
Stop/Start Web Application - Not redeploy
(WLS 6.1 SP3) When I deploy an application using the console the JSPs are all seen as up-to-date and it does not need to recompile them. If I try to deploy it using the command line "weblogic.deploy update" the
-
Hi Experts, I got one OSS note : 653949 for missing some standard structures in system. I understood that this Notes is mainly for the extneding the BAPI listed in that OSS note for adding some parameters. That importing parameters will be referred b