Tomcat, LDAP, SSL, Servlet
Hi - I have already written a servlet that binds against a LDAP Server normally. Now I need to implement SSL on it. I would like to know if anyone has any code that simply binds against an LDAP Server using SSL.
I use the servlet on Tomcat to connect to the LDAP Server .. so...
1. Do I need to install JSSE alongwith Tomcat to use ssl?
2. Since the servlet acts as the Client to the LDAP Server - is it enough to simply add ssl parameters to the code (and include a cert store path)?
I would only require to know simple steps to ssl-enable my existing application ...
please help!
I had problems getting SSL to work. The only modifications that you should need to make are in the connection.
Here is the URL.
http://forum.java.sun.com/thread.jsp?forum=51&thread=322566
Similar Messages
-
Question regd C++ and Java with Tomcat and SSL
I have configured Tomcat with SSL and am running a servlet
which is going to recieve input from a C++ Application.
The team which are coding in C++ have a statement in their C++
code 'HTTP1.1'
My Tomcat is v 3.2.4
Does this support HTTP 1.1 OR HTTP 1.0 PROTOCOL.??tomact latest version supports both HTTP specifications 1.1 and 1.0. If you want to make sure you for tomcat 3.2.4 then you can search the web and jakarta website for this.
Regards
Akhil Nagpal -
I am trying to create a Java server with using Tomcat. After configuration, I can access http://localhost:8080 successfully. However, I can not open SSL function.
I have removed the comment of SSL section in server.xml. In addition, I have generated corresponding certificates and keys with openssl and keytools in /System/Library/Frameworks/JavaVM.framework/keytool.But I still can not access https://localhost:8443
When I check the network condition with "netstat -an", I discover that the port 8080 (used by Tomcat without SSL) is working but 8443 is not.
The configuration of SSL part are as follow:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.p12" keystorePass="****" keystoreType="PKCS12"
truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>
Can anyone answer my question? Thank You!Here is my web.xml file
thanks
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<display-name>File Transfer Application</display-name>
<description>This application upload and downloads files.
</description>
<servlet>
<servlet-name>authUser</servlet-name>
<servlet-class>authenticate</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>authUser</servlet-name>
<url-pattern>/doAuth</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>GetResponse</servlet-name>
<servlet-class>mypkg.serv</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GetResponse</servlet-name>
<url-pattern>/doServ</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>RequestUpload</servlet-name>
<servlet-class>reqUpload</servlet-class>
<init-param>
<param-name>
uploadDir
</param-name>
<param-value>
/path/to/upload
</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>RequestUpload</servlet-name>
<url-pattern>/doUpload</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>webuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
****************************************************** -
EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility
Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
AndrewHard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub -
Convergence with LDAP SSL Failure
Hello,
I'm now having a problem securing connections between Convergence and my LDAP server.
Once I set it in iwcadmin, ugldap.enablessl to true and change the port to 636, the following error occurs and convergence just couldn't authenticate.
server.log in Glassfish 2.1.1, enterprise profile using NSS keystore
[#|2010-11-12T20:17:15.208+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|LDAPS:Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values|#]
[#|2010-11-12T20:17:15.209+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap.LDAPSingleHostPool|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|buildConnection: got LDAPException while connecting to Pool number:0. Host=<ldaphost> :netscape.ldap.LDAPException: Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values (91)|#]
HTTP SSL connections to Webmail server and calendar servers are fine. I tried deploying the same configuration using developer profile with JKS keystore, the SSL authentication goes through then, but I need clustering for high availability.
Does anyone have any ideas?
Thanks so much in advance!
MathewHard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub -
Hi,
till i recreated our complete Keyset with Stores and Trusts, everything worked fine (expect our certificates wasn't valid anymore, thats why i've recreated them).
As far as i tested everything looks fine. Truststore recognized the trusted Keys and i can read out Certificates with alias from Keystores.
But now to the problem: I have several WebServices running on Tomcat, every service has a own Store-Trust Pair. Tomcat itself is using a Store-Trust Pair too, which trusts every other Key instead of itself.
If i do a simple connection from an Application to Tomcat with SSL it works without problems. But as soon as a called service from tomcat tries to call another service on same Tomcat i get following error:
Caused by: java.security.UnrecoverableKeyException: Password verification failed
I have really no idea what could be wrong, following the code i used to create the keys:
public GenKeys() {
for (int i=0;i<services.length;i++) {
File file = new File(BASEPATH + STOREPATH);
file.mkdirs();
file = new File(BASEPATH + KEYPATH);
file.mkdirs();
file = new File(BASEPATH + TRUSTPATH);
file.mkdirs();
System.out.println("Directories created\n");
System.out.println("---------------------------------------");
System.out.println("Creating keystores and certificates");
System.out.println("---------------------------------------");
for (int i=0;i<services.length;i++) {
System.out.print("Processing " + services[i] + "...");
String Path = BASEPATH + STOREPATH + "\\";
String Path2 = BASEPATH + KEYPATH + "\\";
try {
Runtime.getRuntime().exec("keytool -genkey -keyalg "+KEYALG+" -sigalg "+SIGALG+" -keysize "+KEYSIZE+" -keystore "+Path+""+services[i]+".jks -storepass "+PASS+" -alias "+services[i]+" -keypass "+PASS+" -dname \"CN=localhost, OU=TUWien, O=INSO, L=Vienna, S=Vienna, C=AT\"");
File checkCreation = new File(Path+""+services[i]+".jks");
while (!checkCreation.exists()) {
System.out.print(".");
Thread.sleep(1000);
Runtime.getRuntime().exec("keytool -export -keystore "+Path+""+services[i]+".jks -storepass "+PASS+" -alias "+services[i]+" -keypass "+PASS+" -file "+Path2+""+services[i]+".cer");
checkCreation = new File(Path2+""+services[i]+".cer");
while (!checkCreation.exists()) {
System.out.print(".");
Thread.sleep(1000);
System.out.println(" DONE");
} catch (IOException exc) {
System.out.println("FEHLER: " + exc);
} catch (InterruptedException exc) {
System.out.println("\n---------------------------------------");
System.out.println("Creating keytrusts");
System.out.println("---------------------------------------");
String Path = BASEPATH + TRUSTPATH + "\\";
String Path2 = BASEPATH + KEYPATH + "\\";
for (int i=0;i<services.length;i++) {
System.out.println("Processing " + services);
for (int j=0;j<services.length;j++) {
if (i==j) continue;
try {
System.out.println("Adding key of " + services[j]);
Runtime.getRuntime().exec("keytool -import -trustcacerts -noprompt -keystore "+Path+""+services[i]+"Trust.jks -storepass "+PASS+" -alias "+services[j]+" -file "+Path2+""+services[j]+".cer");
File checkCreation = new File(Path+""+services[i]+"Trust.jks");
while (!checkCreation.exists()) {
Thread.sleep(1000);
Thread.sleep(5000);
} catch (IOException exc) {
System.out.println("FEHLER: " + exc);
} catch (InterruptedException exc) {
System.out.println(" DONE");just for info ... the problem is solved, somehow. The same keytool commands run on linux produce functional keys. But in windows console the keys dont work and i get a incorrect password failure.
-
LDAP SSL requirement and setup
Can someone point me the direction on setting up LDAP SSL in Apex 2.2?
Is there any documentation available? Thank you.I have same request. Only information i could find was here: LDAP Authentication Failed
-
I am putting an rodc on the DMX in a separate forest than the internal network
On the DMZ, I have a Read/write 2012 DC in 2008R2 mode. Then I added a RODC in the same DMZ forest.
I want to open up 636 to the RODC from the public for ldap ssl.
Is this ok? How would I go about setting up the ldap ssl over the public internet? I guess I will need a public certHello,
maybe you can describe the reason which requires LDAP over SSL access?
In the meanwhile see
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
You can also work with self-signed certificates
http://gregtechnobabble.blogspot.de/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html
It depends on the service/application requirement.
We use for example an external access to our network but work with self-signed certificates for password change if accounts are required to change the password.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
How to configure LDAP SSL using auto login wallet?
Hello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno LavoieHello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno Lavoie -
How do I get the Tomcat port using Servlet.
I am running Apache + Tomcat. All request are going though Apache. How do I get the Tomcat port using Servlet.
See:
ServletRequest.getServerPort()This will give the port upon which the request was recieved . . .which I blelieve is what you are looking for. -
LDAP + SSL + tomcat- Please help!
Please help I searched the whole site, i m new to JNDI, Security and E-directory, all I got was confusion, and lots of exception.
Here's my problem, I trying to run a web application on tomcat web server. I have a login.html, for users to login to my application. Currently all username and password are stored Novell e-directory. Currently I have the following Code.
<%@page import="javax.naming.*"%>
<%@page import="javax.naming.directory.*"%>
<%@page import="java.util.*"%>
<%@page import=" java.lang.*"%>
<%@page import="java.security.*"%>
<%
String uid = request.getParameter("user");
// Set up the environment for creating the initial context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://10.1.1.199:636/o=hcfhe");
env.put(Context.SECURITY_PRINCIPAL, "cn=ldapbrowse, ou=it, o=hcfhe");
env.put(Context.SECURITY_CREDENTIALS, "ldapbrowse");
env.put(Context.SECURITY_PROTOCOL,"ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put("java.naming.ldap.factory.socket","javax.net.ssl.SSLSocketFactory");
env.put("java.naming.ldap.version","3");
System.setProperty("javax.net.ssl.keyStore", "c://j2sdk1.4.0//jre//lib//security//cacerts");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", "c://j2sdk1.4.0//jre//lib//security//cacerts");
System.setProperty("javax.net.debug","all");
// Create the initial context
try {
DirContext ctx = new InitialDirContext(env);
System.out.println("Is it binding..................");
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration results = ctx.search("", "(cn="+ uid +")", ctls);
SearchResult sr = (SearchResult)results.nextElement();
String dn = sr.getName();
//String mycon = ((SearchResult)answer.next()).getName();
System.out.println("DN" + dn);
// ... do something useful with ctx
if(dn != null) {
response.sendRedirect("index2.html");
ctx.close();
} catch (NamingException e) {
System.err.println("Problem getting attribute:" + e);
e.printStackTrace();
%>
I am trying to authenticate my users over SSL to e-directory, and HERE'S where i am totally lost(BTW i can connect to my LDAP directory without SSL. My Network adminsistrator has given me a certificate from the server called SSLMASTER.DER, which I tried install in file called CACERTS in java_home\jre\lib\security using keytool. An it seems like its there using keytool -list command.
and edited the server.xml:
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="8443"/>
<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/>
<!--<Parameter name="keystore" value="C:/jakarta-tomcat-3.2.4/conf/.keystore" />-->
<Parameter name="keystore" value="C:/j2sdk1.4.0/jre/lib/security/cacerts" />
<Parameter name="keypass" value="changeit"/>
<Parameter name="clientAuth" value="true"/>
</Connector>
Now I start re-start tomcat, and type in the following URL
http://localhost:8080/college_register/uk/ac/havering-college/index122.html, then i enter the username and password, when submitted it goes to the above java code or even if i do https://localhost:8443/college_register/uk/ac/havering-college/index122.html. I still get the error below.
javax.naming.CommunicationException: simple bind failed: 10.1.1.199:636. Root e
xception is javax.net.ssl.SSLHandshakeException: Couldn't find trusted certifica
te
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA62
75)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:385)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:309)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:168)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:263)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:76)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
62)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at javax.naming.directory.InitialDirContext.<init>
please tell me what else i need to do.Get a copy of your ldap server's public certificate. Use keytool to import (and create) that cert into a truststore. Configure the ssl props to use the new truststore.
-
IdM SPE Ldap SSL operations hang
Hi all,
We're having a problem with IdM SPE hanging while doing LDAP operations over SSL. Has anyone encountered this before? We're under a tight deadline and any inputs/suggestions would automatically make the contributor my hero.
Description:
Our application is hanging when we try to use SPE's APIs to add some users to an LDAPS resource. We see these connections being logged in the LDAP logs, however binding never occurs. Instead these LDAP connections from SPE seem to sit until timeout.
Environment:
IdM 6.0 SPE SP1
AIX 5.2
J2RE 1.4.2 IBM AIX SP7
BEA WebLogic 8.1 SP5
SunOne Directory Server 5.2
Evaluation:
After a long period of time we see the following exception in our application logs:
javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java(Inlined Compiled Code))
at com.sun.jndi.ldap.Connection.readReply(Connection.java(Compiled Code))
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:357)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2657)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:307)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190)What we noticed is that LDAP connection (no SSL) seem to be okay. We have verified that connections can be made from our app server box to our LDAP server on the ssl port. We've also created a simple java servlet that makes LDAPS using JNDI and put this in the same container as IdM and this seems to connect okay as well. This seems to indicate that the hanging is not a SSL issue but an SPE one.
We do notice from examining the LDAP logs that the same connections are being used over and over. This is expected connection pooling behavior, but could this be an issue if we switch our connection from LDAP to LDAPs? Does the pool not get purged when we switch on SSL?Updated findings:
We were able to duplicate this on a windows sand box environment. Again it breaks when SPE tries to do an LDAPS operation. Here's what we figured out so far.
a.) Definately not a certificate issue
b.) Almost definately not a JDK/JCE/JSSE issue
c.) Definately not an LDAP issue
d.) Not an IdM 6.0 issue (Can provision users from IdM console)
e.) Not a connection pooling issue (Turned off pooling and it still hung)
f.) Not a network issue.
It seems at this stage that the problem stems from SPE, has anyone ever gotten SPE to work with LDAP over ssl? Any suggestions? -
App Server 8.0 LDAP SSL Problems
Hello,
I have been able to get the following java code to connect to an LDAP server to work in a servlet (within a j2ee-module) under the Sun J2EE application server 8.0 when I am connecting to a non-ssl LDAP server:
LDAPConnection conn = new LDAPConnection();
conn.connect(ldap_host, Integer.parseInt(ldap_port));
StringBuffer sb = new StringBuffer("uid=");
sb.append(cuid).append(",").append(ldap_base);
String dn = sb.toString();
conn.authenticate(3, dn, password);
I have been having a bear of the time implementing the same thing but with SSL by changing the host and port to a SSL LDAP instance and substituting the following code:
LDAPConnection conn new LDAPConnection();
JSSESocketFactory jssf = new netscape.ldap.factory.JSSESocketFactory(null);
conn = new LDAPConnection(jssf);
I have used the following command to insert the cert from the LDAP server into the keystore:
keytool -import -trustcacerts -alias <ca-cert-alias> -file <cert>
I have also tried to inject the cert into the cacerts file found under the SUNWappserver/domains/domain1/config/cacerts.jks file directly using keytool.
No matter what I do, when the SSL version of the code is executed I get the following exception:
[#|2004-07-14T13:59:40.372-0400|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removed for security purposes>.doPost:
Uncaptured Exception: JSSESocketFactory.makeSocket <host and port removed for security purposes>, Default SSL context init failed: Cannot recover key|#]
[#|2004-07-14T13:59:40.374-0400|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removed for security purposes>.doPost:
netscape.ldap.LDAPException: JSSESocketFactory.makeSocket <host and port removed for security purposes>, Default SSL context init failed: Cannot recover key (91)
at netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSESocketFactory.java:111)
at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:509)
at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:435)
at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:274)
at netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnSetupMgr.java:199)
at netscape.ldap.LDAPConnThread.connect(LDAPConnThread.java:109)
at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1067)
at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:938)
at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:781)
at com.qwest.nts.portal.LdapHelper.authenticate(LdapHelper.java:51)
at com.qwest.nts.portal.servlet.PortalServlet.doPost(PortalServlet.java:68)
at com.qwest.nts.portal.servlet.BaseServlet.doGet(BaseServlet.java:50)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:748)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:861)
at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:246)
at java.security.AccessController.doPrivileged(Native Method)
Am I missing something here? What does one need to do to get the Sun application server to enable SSL connections to an LDAP server? I am a bit confused what keystore to use since there are numerous copies of cacerts.jks and keystore.jks among both the application server config files and the jdk/jre config files found under SUNWappserver.
I attempted to see debug messages by adding -Djavax.net.debug=all directly to the java command found in the startserv script for this web appliaction. I am not sure if this is the correct way to set system parameters when using the J2EE Sun application server, but it should work, no? When I do this I don't see any additional messages in the server's log file found at /SUNWappserver/domains/domain1/logs/server.log. All I see is System.out.println's from the java code and the exception.
Thanks in advance for any help.
- DanHarpreet,
Thanks for the reply. Yes I do just want to authenticate to the LDAP server from some code in my servlet. It is working against a non-ssl server right now. I guess I am not using the LDAPRealm that the appserver provides because I didn't now about it. I just pulled working LDAP code from another project (written for weblogic). As I said before all is working fine against the non-ssl server, however, I need to authenticate against a SSL server. As for your other question, why am I using JSSESocketFactory, I don't have a good answer. The application I am using as an example around here uses ldapsdk.jar. Are you saying that these LDAP classes are already built in?
Thanks
- Dan
Hi Dan
A couple of questions that will help me understand
this better.
1. It seems you just want to authenticate to the LDAP
server
from some code in your servlet - is that right?
(On a side note: why dont you use the LDAPRealm that
the appserver
provides? It currently does not perform SSL
authentication but that is
something we are looking at). This way you dont end up
reinventing the wheel.
2. Any particular reasons on not using J2SE Security
factory classes
(Since you use netscape JSSESocketFactory - you will
have to use
Netscape provided flags to see what is going on over
the wire). That
is the reason javax.net.debug flags are not showing
any useful output.
PS: javax.net.debug=ssl should suffice
Some comments and clarifications:
The truststore that you should bother about - is the
one under
domains/domain_name_of_the_domain_u_use/cacerts.jks.
Cacerts.jks has your imported(trusted certs) while
keystore.jks has
your server private keys and certificates.
(more info @
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security
.html#wp142440)
There has been a relevant thread that you may look at
http://forum.java.sun.com/thread.jsp?forum=136&thread=5
1519
Hope that helps
- Regards
Harpreet
I have been able to get the following java code to
connect to an LDAP server to work in a servlet(within
a j2ee-module) under the Sun J2EE applicationserver
8.0 when I am connecting to a non-ssl LDAP server:
LDAPConnection conn = new LDAPConnection();
conn.connect(ldap_host,Integer.parseInt(ldap_port));
StringBuffer sb = new StringBuffer("uid=");
sb.append(cuid).append(",").append(ldap_base);
String dn = sb.toString();
conn.authenticate(3, dn, password);
I have been having a bear of the time implementingthe
same thing but with SSL by changing the host andport
to a SSL LDAP instance and substituting thefollowing
code:
LDAPConnection conn new LDAPConnection();
JSSESocketFactory jssf = new
netscape.ldap.factory.JSSESocketFactory(null);
conn = new LDAPConnection(jssf);
I have used the following command to insert the cert
from the LDAP server into the keystore:
keytool -import -trustcacerts -alias <ca-cert-alias>
-file <cert>
I have also tried to inject the cert into thecacerts
file found under the
SUNWappserver/domains/domain1/config/cacerts.jksfile
directly using keytool.
No matter what I do, when the SSL version of thecode
is executed I get the following exception:
[#|2004-07-14T13:59:40.372-0400|INFO|sun-appserver-pe8.
>
.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removedfor
security purposes>.doPost:
Uncaptured Exception: JSSESocketFactory.makeSocket
<host and port removed for security purposes>,Default
SSL context init failed: Cannot recover key|#]
[#|2004-07-14T13:59:40.374-0400|INFO|sun-appserver-pe8.
>
.0_01|javax.enterprise.system.stream.out|_ThreadID=12;|
DEBUG Wed Jul 14 13:59:40 EDT 2004: <class removedfor
security purposes>.doPost:
netscape.ldap.LDAPException:
JSSESocketFactory.makeSocket <host and port removed
for security purposes>, Default SSL context init
failed: Cannot recover key (91)
at
netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSE
ocketFactory.java:111)
at
netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSe
upMgr.java:509)
at
netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetup
gr.java:435)
at
netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr
java:274)
at
netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnS
tupMgr.java:199)
at
netscape.ldap.LDAPConnThread.connect(LDAPConnThread.jav
:109)
at
netscape.ldap.LDAPConnection.connect(LDAPConnection.jav
:1067)
at
netscape.ldap.LDAPConnection.connect(LDAPConnection.jav
:938)
at
netscape.ldap.LDAPConnection.connect(LDAPConnection.jav
:781)
at
com.qwest.nts.portal.LdapHelper.authenticate(LdapHelper
java:51)
at
com.qwest.nts.portal.servlet.PortalServlet.doPost(Porta
Servlet.java:68)
at
com.qwest.nts.portal.servlet.BaseServlet.doGet(BaseServ
et.java:50)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java
748)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java
861)
at
sun.reflect.GeneratedMethodAccessor68.invoke(Unknown
Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegat
ngMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.apache.catalina.security.SecurityUtil$1.run(Securit
Util.java:246)
atjava.security.AccessController.doPrivileged(Native
Method)
Am I missing something here? What does one need todo
to get the Sun application server to enable SSL
connections to an LDAP server? I am a bit confused
what keystore to use since there are numerous copies
of cacerts.jks and keystore.jks among both the
application server config files and the jdk/jreconfig
files found under SUNWappserver.
I attempted to see debug messages by adding
-Djavax.net.debug=all directly to the java command
found in the startserv script for this web
appliaction. I am not sure if this is the correctway
to set system parameters when using the J2EE Sun
application server, but it should work, no? When Ido
this I don't see any additional messages in the
server's log file found at
/SUNWappserver/domains/domain1/logs/server.log. AllI
see is System.out.println's from the java code andthe
exception.
Thanks in advance for any help.
- Dan -
LDAP/SSL performance degradation with 1.6.29/1.6.30
Hi,
we are running an application within a Tomcat 6.0.35 server on RHEL 5.7/i386 that queries our company's Active Directory using LDAP over SSL. One of the queries involves expanding a large distribution list. Since the upgrade from JDK 1.6.27 to 1.6.29 (or 1.6.30) the performance of this LDAP query has degraded dramatically, from about 8 seconds to more than 300 seconds. This only happens when encrypting the LDAP connection.
We are not sure how to debug this further. Which information would we need to provide to get to the root of this? I was thinking that perhaps the Tomcat output with the javax.net.debug=ssl,handshake property set for 1.6.27 and 1.6.29/30 would be sufficient?
With Java 1.6.29/30, the basic response/reply between the Tomcat and the AD server looks like:
TP-Processor11, WRITE: TLSv1 Application Data, length = 32
TP-Processor11, WRITE: TLSv1 Application Data, length = 160
Thread-270, READ: TLSv1 Application Data, length = 16368
Thread-270, READ: TLSv1 Application Data, length = 16368
Thread-270, READ: TLSv1 Application Data, length = 11920
TP-Processor11, WRITE: TLSv1 Application Data, length = 32
TP-Processor11, WRITE: TLSv1 Application Data, length = 160
Thread-270, READ: TLSv1 Application Data, length = 16368
Thread-270, READ: TLSv1 Application Data, length = 16368
Thread-270, READ: TLSv1 Application Data, length = 11920
When using Java 1.6.27, we see:
TP-Processor12, WRITE: TLSv1 Application Data, length = 208
Thread-42, READ: TLSv1 Application Data, length = 16368
Thread-42, READ: TLSv1 Application Data, length = 16368
Thread-42, READ: TLSv1 Application Data, length = 5696
TP-Processor12, WRITE: TLSv1 Application Data, length = 208
Thread-42, READ: TLSv1 Application Data, length = 16368
Thread-42, READ: TLSv1 Application Data, length = 16368
Thread-42, READ: TLSv1 Application Data, length = 5696
Looking at the 32 bytes long requests (with javax.net.debug=all set), we see:
Padded plaintext before ENCRYPTION: len = 32
0000: 30 0C C2 32 83 6E 9F D8 8F 5E E8 47 7A 0B 9A F1 0..2.n...^.Gz...
0010: 7D 44 78 0B 9E 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A .Dx.............
TP-Processor1, WRITE: TLSv1 Application Data, length = 32
Which doesn't make a whole lot of sense to us...
Any help debugging this further would be most welcome.
Cheers
Stefan
Edited by: user9158206 on Jan 12, 2012 6:06 AMSince you've determined that your problem is related to the use of TLS, your posting is likely to get a quicker response on the Java Secure Socket Extension (JSSE) forum. When you do get a resolution, please post a link to it on this thread to close the loop. Thanks.
Arshad Noor
StrongAuth, Inc. -
How can i avoid restarting tomcat server when servlet is modified?
please advice me that how can i avoid restarting the tomcat server, whenever a servlet file is modified in my application. is their any way ?
No probs. Here's how I do things...
1. Install tomcat as normal (e.g. I install to C:\Apps\jakarta-tomcat-5.5.4)
2. Create a webapps directory in your eclipse project with the following directory structure
MyEclipseProject
- src
- conf
- webapps
- MyApplication
- META-INF
- WEB-INF
- classes
- lib
- pages3. Set the project's output folder (e.g. bin folder) to webapps/MyApplication/WEB-INF/classes
4. Put all your jar files in the lib directory
5. Put JSPs / HTML in the pages directory (you may also want to create additional directories for TLDs, config files etc)
6. Ensure your web.xml is in the WEB-INF directory
7. Although it isn't essential I create a context.xml file and store it in META-INF, e.g.
<Context reloadable="true">
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>WEB-INF/conf/struts/struts-config.xml</WatchedResource>
<WatchedResource>WEB-INF/conf/struts/tiles-defs.xml</WatchedResource>
<WatchedResource>WEB-INF/conf/struts/validation.xml</WatchedResource>
</Context>I use this to set monitored resources that will trigger an automatic appliation reload and to configure JAAS (not shown). See the Tomcat documentation for additional information.
8. In the 'conf' directory I create a server.xml file used to configure Tomcat (you can copy the one from your <TOMCAT_HOME>/conf/server.xml).
After copying the file change appBase attribute in the host element to be the full path to the webapps directory. You can also change the HTTP and HTTPS ports if you wish
9. Download and install the Tomcat Launcher plugin from Sysdeo.
10. In Eclipse's Preferences menu you will see a new entry for Tomcat. Click this then
a. Set your Tomcat Version
b. Set your Tomcat Home
c. Set "Context declaration mode" to server.xml
d. Set the configuration file to the full path to your server.xml file created in step 8
On the "Advanced " sub page select all relevant projects to add to the Tomcat classpath
On the "JVM Settings" page add all the jars in your WEB-INF lib directory to the class path
On the "Source Path" page select all relevant projects
Now if you start Tomcat using the Tomcat icon, you will be able to remote debug your application. If you change web.xml (or any other file in your context.xml watched resources) it will automatically reload. Any changes to JSPs will automatically be picked up (providing your tell your browser not to use the page in cache - e.g. CTRL+F5 in IE)
There are some limitations that I'm still working on however. Primarily that I haven't included the Tomcat Manager application in my webapps directory, so Sysdeo cannot perform a reload. This means that if I change a source file, and eclipse auotmatically rebuilds, Tomcat doesn't pick up the change unless I either change a watched resource file (e.g. web.xml) or stop and restart Tomcat.
There's no reason why this can't be fixed, I just haven't got round to it yet.
I'm sure there are lots of other (probably better) ways of achieving the same thing. This was the first method I tried and it worked, so I stuck with it. I'm not a Tomcat config guru and I'm sure other forum users could provide some improvements should they wish.
Post if you get into trouble, however I won't be able to respond until next week.
Cheers,
Steve
Maybe you are looking for
-
Partner function for a team in Change Request Management
I have defined a new transaction type based on Urgent Correction. I have three partner functions: Change Manager, Team Member and Quality Assurance Team. The first two partner functions are represented by single business partner so I can define them
-
Error at the time if cancellation of PR release thorugh ME54N
Hi, While cancelling the release thorugh ME54N transaction we got following error; "No new release indicator can be determined" Message No: ME108 Please advise. Thanks shp
-
Is there a way of suppressing certain report fields upon printing? These fields need to be visible when the report is viewed, but I only want to print some of them to small label printer (need to suppress unnecessary information as to not waste labe
-
Hi there, I've created two projects (say Prj1 and Prj2), created a BMP entity bean (EJB1) in Prj1 and a Stateless session bean (EJB2) in Prj2. EJB2 references EJB1 and makes a simple method call. When I try to run OC4J with "Lookup all EJBs During OC
-
Birthday entries in Lion's iCal
I use OS X in German. Since my upgrade to Lion the entries of the birthday calendar in iCal have changed the order the text is displayed. Before lion iCal used to display the name of the person first. E. g. "Peter Meiers Geburtstag" Now the order cha