David B Hinz wrote: > We are still encountering the problem detailed below that was described by > Steve over a year ago. > > Is there anyone that can provide some insight on how we can solve this > problem? > > What happens is that some of our applications must run 24x7 yet the user > certificates are changed every 90 days (or sooner based on other criteria). > When the certificates are changed while the applications are running we get > the INVALID_CREDENTIALS error. > > We were able to solve this problem on C++ using the "ldap_unbind_s(); > ldapssl_shutdown();" API calls (ldapssl_shutdown() was provided with the > LDAP C SDK 6.x). > > As Steve points out there doesn't seem to be a way to do this with the Java > LDAP SDK. > > After looking at the code the problem seems to be with a singleton that is > used as the JSS or libjss.so layer that is keeping the credentials from > being re-read. But a modification to the code would be difficult because > the entire design of JSS is based on this singleton. > > How do other applications that run 24x7 deal with the problem with > certificates changing while they are running? >
I don't know. The JSS and NSS developers are usually found on mozilla.dev.tech.crypto - try posting there. > We ar using the latest versions of the Java LDAP SDK and JSS. > > Is there any active development being done on the Java LDAP SDK that is > currently as version 4.17 and has been for several years? > > Is there any active development being done on JSS and libjss.so? > > We need to use the JSSSocketFactor() provided by JSS because we need to use > the same type of certificates between the Java and C++ code. > JSSESocketFactory() provided by Java used PKCS12 or JKS keys. > > We have looked at the Java version of OpenLDAP but it appears to be a > wrapper around the JSSESocketFactory. > > Thanks for any info you can provide. > > david. > > > >> This is sort of a follow-on to Mike's message of last Sept. 12. >> It, and Bug 352673 discussion, led us to be able to have our >> applications handle new certificates being created while the apps are >> running. We detect the INVALID_CREDENTIALS error and call: >> ldap_unbind_s() >> ldapssl_shutdown() (which calls SSL_ClearSessionCache() and >> NSS_Shutdown()) >> ...and re-initialize, and everybody's happy - in our C++ world. >> ____________________ >> >> Now we need to accomplish the same thing in our Java apps, but > .can't seem to make them let go of and re-fetch certificates. >> We connect with: >> jsf = new JSSSocketFactory(certDir) >> conn = new LDAPConnection(jsf) >> conn.connect() >> conn.authenticate(), using EXTERNAL mechanism > >> After re-creating certificates while running, on the >> INVALID_CREDENTIALS error, we call: >> connection.disconnect() >> (which calls LDAPConnThread::deregister() and thus >> sendUnbindRequest() ) >> SSLServerSocket.clearSessionCache() >> ...and re-initialize as in the beginning. >> But, we continue to get INVALID_CREDENTIALS errors. >> I'm guessing we're not cleaning up enough before re-initializing, >> but don't know what else to try (e.g. can't find a Java handle to an >> NSS_Shutdown() call, as in C) > >> Thanks for any help. > >> Steve > > > ===================== > David Hinz > 720-858-4334 > S75 / A1715H > > > _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
