I guess you need to add your CA to java (global one)
On Wed, May 8, 2013 at 2:39 PM, Vieri <rentor...@yahoo.com> wrote:
> Hi,
>
> From the same machine where OM is installed I can run the following
> command:
>
> # ldapsearch -x -D "adu...@domain.org" -b "cn=Users,dc=domain,dc=org" -H
> ldaps://ldapserver.domain.org -W sAMAccountName=aduser
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> -----------------
>
> However, if I setup OM to authenticate users via LDAP/SSL I'm getting the
> error reported at the end of this e-mail (LDAP without SSL works fine).
>
> My om_ldap.cfg is as follows:
>
> ldap_server_type=OpenLDAP
> ldap_conn_url=ldaps://ldapserver.domain.org:636
> ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org
> ldap_passwd=secret
> ldap_search_base=CN:Users,DC:domain,DC:org
> field_user_principal=sAMAccountName
> ldap_auth_type=SIMPLE
> ldap_sync_password_to_om=no
> ldap_user_attr_lastname=sn
> ldap_user_attr_firstname=givenName
> ldap_user_attr_mail=mail
> ldap_user_attr_street=streetAddress
> ldap_user_attr_additionalname=description
> ldap_user_attr_fax=facsimileTelephoneNumber
> ldap_user_attr_zip=postalCode
> ldap_user_attr_country=co
> ldap_user_attr_town=l
> ldap_user_attr_phone=telephoneNumber
> ldap_user_picture_uri=wWWHomePage
> ldap_use_lower_case=false
> ldap_user_groups=memberOf
>
> Before running OM I export:
> OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
>
> OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE}
> -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}
> -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE}
> -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}"
>
> I'm using a self-signed certificate in my LDAP server (Active Directory).
> Here's how I generated it:
> selfssl.exe /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825"
> run mmc and open the LOCAL COMPUTER Personal certificate store. The cert
> should already be there.
> Copy it within mmc to the "Trusted root authorities"
> Export the certificate from the trusted root store within mmc as pfx
> file and name it ldapserver.pfx (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE})
>
> Finally, on the OM machine I configured the truststore this way:
>
> OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> rm -f $OM_J_TRUSTSTORE
> keytool -validity 7300 -keysize 2048 -genkey -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore
> ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}"
> openssl pkcs12 -passin pass:"" -passout pass:"" -in
> ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out
> ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes
> openssl x509 -in ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem
> -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der -outform der
> keytool -import -alias root -keystore ${OM_J_TRUSTSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file
> ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
>
> and the keystore (used for https):
>
> OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> rm -f ${OM_J_KEYSTORE}
> keytool -validity 7300 -keysize 2048 -genkey -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore ${OM_J_KEYSTORE}
> -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -keypass
> ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}"
> keytool -certreq -keyalg RSA -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr -keystore
> ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> # > Now submit ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to
> custom CA and self-sign the certificate:"
> # - the signed certificate is copied to
> ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt"
> # - the CA root certificate is copied to ${OM_TMP_DIR}/root.crt"
> keytool -import -alias root -keystore ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file
> ${OM_TMP_DIR}/root.crt
> keytool -import -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> -trustcacerts -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt
> cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen
>
> If I list the keystores:
>
> # keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
>
> Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> Creation date: Feb 21, 2013
> Entry type: PrivateKeyEntry
> Certificate chain length: 2
> Certificate[1]:
> Owner: CN=openmeetings.domain.org, OU=IT, O=domain, L=City, ST=State,
> C=COUNTRY
> Issuer: EMAILADDRCOUNTRYS=i...@domain.org, CN=MYORG1 Signing Authority,
> OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> Serial number: 1
> Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb 20 09:57:44 CET
> 2018
> Certificate fingerprints:
> MD5: 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF
> SHA1: FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56
> Signature algorithm name: SHA1withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98 D2 2F C4 88 1D ...l....I.../...
> 0010: 1F 45 73 78
> ]
> ]
>
> #2: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
> CA:false
> PathLen: undefined
> ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p
> 0010: 56 EF AB 51 V..Q
> ]
>
> ]
>
> #4: ObjectId: 2.5.29.18 Criticality=false
> IssuerAlternativeName [
> RFC822Name: i...@domain.org
> ]
>
> #5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
>
> #6: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> DNSName: openmeetings
> DNSName: openmeetings.domain.org
> ]
>
> Certificate[2]:
> Owner: EMAILADDRCOUNTRYS=i...@domain.org, CN=MYORG1 Signing Authority,
> OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> Issuer: EMAILADDRCOUNTRYS=i...@domain.org, CN=MYORG1 Signing Authority,
> OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> Serial number: 0
> Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb 13 09:48:02 CET
> 2048
> Certificate fingerprints:
> MD5: 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> SHA1: 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85
> Signature algorithm name: SHA1withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.15 Criticality=false
> KeyUsage [
> Key_CertSign
> Crl_Sign
> ]
>
> #2: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p
> 0010: 56 EF AB 51 V..Q
> ]
> ]
>
> #3: ObjectId: 2.5.29.31 Criticality=false
> CRLDistributionPoints [
> [DistributionPoint:
> [URIName: http://domain.org/cert/crl.crl]
> ]]
>
> #4: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
> CA:true
> PathLen:2147483647
> ]
>
> #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
> NetscapeCertType [
> SSL CA
> S/MIME CA
> ]
>
> #6: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p
> 0010: 56 EF AB 51 V..Q
> ]
>
> [EMAILADDRCOUNTRYS=i...@domain.org, CN=MYORG1 Signing Authority, OU=ORG IT,
> O=MYORG, ST=State, C=COUNTRY]
> SerialNumber: [ 00]
> ]
>
> #7: ObjectId: 2.5.29.18 Criticality=false
> IssuerAlternativeName [
> RFC822Name: i...@domain.org
> ]
>
> #8: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> RFC822Name: i...@domain.org
> ]
>
>
> # keytool -list -alias root -keystore ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
>
> root, Feb 21, 2013, trustedCertEntry,
> Certificate fingerprint (MD5):
> 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
>
>
>
> And now for the trust store:
>
> # keytool -list -alias root -keystore ${OM_J_TRUSTSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> Alias name: root
> Creation date: May 7, 2013
> Entry type: trustedCertEntry
>
> Owner: CN=LDAPSERVER.DOMAIN.ORG
> Issuer: CN=LDAPSERVER.DOMAIN.ORG
> Serial number: -76629fd860703546b57165ba54276ec2
> Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun May 14 19:07:45 CEST
> 2017
> Certificate fingerprints:
> MD5: ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE
> SHA1: 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29
> Signature algorithm name: SHA1withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.15 Criticality=false
> KeyUsage [
> DigitalSignature
> Key_Encipherment
> Data_Encipherment
> ]
>
> #2: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> serverAuth
> ]
>
> # keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
>
> Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> Creation date: May 7, 2013
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City,
> ST=State, C=COUNTRY
> Issuer: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City,
> ST=State, C=COUNTRY
> Serial number: 5188f626
> Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon May 02 14:40:06 CEST
> 2033
> Certificate fingerprints:
> MD5: C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F
> SHA1: D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC
> Signature algorithm name: SHA1withRSA
> Version: 3
>
>
> When an LDAP user tries to log into OM, the log show the following
> messages:
>
> DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242 117
> org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
>
> Authentification to LDAP - Server start
> DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244 151
> org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
> loginToLdapServer
> ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278 123
> org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
>
> Authentification on LDAP Server failed : simple bind failed:
> ldapserver.domain.org:636
> ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294 124
> org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
> [Authentification on LDAP Server failed]
> javax.naming.CommunicationException: simple bind failed:
> ldapserver.domain.org:636
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
> ~[na:1.6.0_24]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> ~[na:1.6.0_24]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> ~[na:1.6.0_24]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> ~[na:1.6.0_24]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> ~[na:1.6.0_24]
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> ~[na:1.6.0_24]
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
> ~[na:1.6.0_24]
> at javax.naming.InitialContext.init(InitialContext.java:240)
> ~[na:1.6.0_24]
> at javax.naming.InitialContext.<init>(InitialContext.java:214)
> ~[na:1.6.0_24]
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
> ~[na:1.6.0_24]
> at
> org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161)
> ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> at
> org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119)
> ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> at
> org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422)
> [openmeetings-2.1.1-SNAPSHOT.jar:na]
> at
> org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333)
> [openmeetings-2.1.1-SNAPSHOT.jar:na]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[na:1.6.0_24]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> ~[na:1.6.0_24]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[na:1.6.0_24]
> at java.lang.reflect.Method.invoke(Method.java:616) ~[na:1.6.0_24]
> at
> org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196)
> [red5.jar:na]
> at
> org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115)
> [red5.jar:na]
> at
> org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157)
> [red5.jar:na]
> at
> org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399)
> [red5.jar:na]
> at
> org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130)
> [red5.jar:na]
> at
> org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164)
> [red5.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> [mina-core-2.0.4.jar:na]
> at
> org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124)
> [red5.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> [mina-core-2.0.4.jar:na]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> [na:1.6.0_24]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> [na:1.6.0_24]
> at java.lang.Thread.run(Thread.java:679) [na:1.6.0_24]
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> ~[na:1.6.0_24]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
> ~[na:1.6.0_24]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
> ~[na:1.6.0_24]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
> ~[na:1.6.0_24]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
> ~[na:1.6.0_24]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
> ~[na:1.6.0_24]
> at
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> ~[na:1.6.0_24]
> at
> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
> ~[na:1.6.0_24]
> ... 55 common frames omitted
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
> ~[na:1.6.0_24]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
> ~[na:1.6.0_24]
> at sun.security.validator.Validator.validate(Validator.java:235)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
> ~[na:1.6.0_24]
> ... 67 common frames omitted
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
> ~[na:1.6.0_24]
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
> ~[na:1.6.0_24]
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
> ~[na:1.6.0_24]
> ... 73 common frames omitted
>
> How can I solve the "unable to find valid certification path" issue? What
> does it refer to exactly?
>
> I can correctly connect to https://openmeetings.domain.org/openmeetings/but
> the LDAPS authentication/login is failing.
>
> My ldapsearch example at the beginning succeeded probably because I have
> 'TLS_REQCERT never' in ldap.conf. Is there a way to "loosen up" OM/java as
> far as self-signed certs are concerned?
>
> Thanks,
>
> Vieri
>
>
--
WBR
Maxim aka solomax
