[
https://issues.apache.org/jira/browse/QPID-7160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Rudyy resolved QPID-7160.
------------------------------
Resolution: Fixed
Changes look reasonable to me
> No X509TrustManager implementation available when using truststore captured
> by SiteSpecificTrustStore
> -----------------------------------------------------------------------------------------------------
>
> Key: QPID-7160
> URL: https://issues.apache.org/jira/browse/QPID-7160
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: qpid-java-6.0, qpid-java-6.0.1
> Reporter: Keith Wall
> Assignee: Alex Rudyy
> Fix For: qpid-java-6.1
>
>
> I am testing the Java Broker with ApacheDS as an authentication provider. I
> find secure connections to the Directory secured with a self signed
> certificate fail if the truststore was captured using
> {{SiteSpecificTrustStore}}. If I upload the truststore as a PEM, the
> exception does not occur.
> Keystore for ApacheDS was generated like so:
> {{keytool -genkey -keyalg RSA -alias selfsigned -keystore apacheds.jks
> -storepass password -validity 360 -keysize 2048}}
> Truststore captured by pointing SiteSpecificTrustStore at
> https://localhost:10636
> Alternative approach (that works), export the PEM from the ApacheDS UI, then
> import into Java Broker as NonJavaTrustStore.
> {noformat}
> 2016-03-23 22:49:14,464 WARN [HttpManagement-myhttps-150]
> (o.a.q.s.s.a.m.SimpleLDAPAuthenticationManagerImpl) - SASL Authentication
> Exception
> javax.naming.CommunicationException: simple bind failed: Oslo.local:10636
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
> ~[na:1.8.0_45]
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) ~[na:1.8.0_45]
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[na:1.8.0_45]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
> ~[na:1.8.0_45]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
> ~[na:1.8.0_45]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
> ~[na:1.8.0_45]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
> ~[na:1.8.0_45]
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> ~[na:1.8.0_45]
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
> ~[na:1.8.0_45]
> at javax.naming.InitialContext.init(InitialContext.java:244)
> ~[na:1.8.0_45]
> at javax.naming.InitialContext.<init>(InitialContext.java:216)
> ~[na:1.8.0_45]
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
> ~[na:1.8.0_45]
> at
> org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.createInitialDirContext(SimpleLDAPAuthenticationManagerImpl.java:344)
> ~[classes/:na]
> at
> org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.getNameFromId(SimpleLDAPAuthenticationManagerImpl.java:491)
> ~[classes/:na]
> at
> org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.access$100(SimpleLDAPAuthenticationManagerImpl.java:72)
> ~[classes/:na]
> at
> org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl$SimpleLDAPPlainCallbackHandler.handle(SimpleLDAPAuthenticationManagerImpl.java:448)
> ~[classes/:na]
> at
> org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:83)
> [classes/:na]
> at
> org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.evaluateSaslResponse(SaslServlet.java:217)
> [classes/:na]
> at
> org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.doPostWithSubjectAndActor(SaslServlet.java:135)
> [classes/:na]
> at
> org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:118)
> [classes/:na]
> at
> org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:114)
> [classes/:na]
> at java.security.AccessController.doPrivileged(Native Method)
> [na:1.8.0_45]
> at javax.security.auth.Subject.doAs(Subject.java:422) [na:1.8.0_45]
> at
> org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doWithSubjectAndActor(AbstractServlet.java:215)
> [classes/:na]
> at
> org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doPost(AbstractServlet.java:112)
> [classes/:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
> [geronimo-servlet_3.0_spec-1.0.jar:1.0]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
> [geronimo-servlet_3.0_spec-1.0.jar:1.0]
> at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1496)
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.apache.qpid.server.management.plugin.filter.ForbiddingAuthorisationFilter.doFilter(ForbiddingAuthorisationFilter.java:90)
> [classes/:na]
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.apache.qpid.server.management.plugin.filter.ForbiddingTraceFilter.doFilter(ForbiddingTraceFilter.java:65)
> [classes/:na]
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.apache.qpid.server.management.plugin.filter.LoggingFilter.doFilter(LoggingFilter.java:70)
> [classes/:na]
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter.doFilter(ExceptionHandlingFilter.java:56)
> [classes/:na]
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429)
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.Server.handle(Server.java:370)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
> [jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
> [jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
> [jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> [jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> [jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> [jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> [jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
> Caused by: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No X509TrustManager implementation
> available
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
> ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:916)
> ~[na:1.8.0_45]
> at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
> ~[na:1.8.0_45]
> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
> ~[na:1.8.0_45]
> at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
> ~[na:1.8.0_45]
> at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
> ~[na:1.8.0_45]
> at com.sun.jndi.ldap.Connection.run(Connection.java:851) ~[na:1.8.0_45]
> ... 1 common frames omitted
> Caused by: java.security.cert.CertificateException: No X509TrustManager
> implementation available
> at
> sun.security.ssl.DummyX509TrustManager.checkServerTrusted(SSLContextImpl.java:1119)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> ~[na:1.8.0_45]
> ... 12 common frames omitted
> {noformat}
> config.json snippet:
> {noformat}
> "authenticationproviders" : [ {
> "id" : "fba490fc-3329-4a2d-90db-4add4e050ba3",
> "name" : "myldap",
> "type" : "SimpleLDAP",
> "bindWithoutSearch" : false,
> "providerAuthUrl" : "ldaps://Oslo.local:10636",
> "providerUrl" : "ldaps://Oslo.local:10636",
> "searchContext" : "ou=people,o=sevenSeas",
> "searchFilter" : "(uid={0})",
> "searchPassword" : "secret",
> "searchUsername" : "uid=admin,ou=system ",
> "trustStore" : "apacheds_sniff",
> "lastUpdatedBy" : "admin",
> "lastUpdatedTime" : 1458773319290,
> "createdBy" : null,
> "createdTime" : 0
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
