Re: JNDIRealm using LDAP with SSL
Did you solve your problem? I don't get the whole thing to run. Are you really able to use *ldaps* in the connectionURL. On my system i get the following error: LifecycleException: Exception opening directory server connection: javax.naming.NamingException: Cannot parse url: ldaps://localhost:636 [Root exception is java.net.MalformedURLException: Not an L DAP URL: ldaps://localhost:636] If i just use ldap://localhost:636 i get this: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationExce ption: Request: 1 cancelled Both doesn't really help defending network sniffers from stealing user data. Hayo Schmidt Chris Egolf schrieb: Does anyone have any experience getting ldaps working w/ the JDNIRealms in Tomcat 4.1.24? Regular LDAP is working fine, but when I change the connection URL to ldaps://ldap-host:636 I get the following error: 2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL ldaps://10.1.1.50:636 2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636 [Root exception is javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found] My Realm element in server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 resourceName=UserDatabase connectionURL=ldaps://10.1.1.50:636 connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany connectionPassword=password userBase=o=MyCompany userSearch=(amp;(cn={0})(objectClass=inetOrgPerson)) userSubtree=true roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany roleSearch=(uniqueMember={0}) roleName=cn / Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can connect to the LDAP server (Novell eDirectory) via SSL using a Java browser if I accept the certificate, so I wonder if that might have something to do with it. I've also successfully followed the Config-SSL-HOWTO, accepted the certificate from the server and setup the keystore for the connector as described, but I get the feeling that this is strictly for enabling SSL over HTTP. Thanks in advance. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm using LDAP with SSL
Does anyone have any experience getting ldaps working w/ the JDNIRealms in Tomcat 4.1.24? Regular LDAP is working fine, but when I change the connection URL to ldaps://ldap-host:636 I get the following error: 2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL ldaps://10.1.1.50:636 2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636 [Root exception is javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found] My Realm element in server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 resourceName=UserDatabase connectionURL=ldaps://10.1.1.50:636 connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany connectionPassword=password userBase=o=MyCompany userSearch=(amp;(cn={0})(objectClass=inetOrgPerson)) userSubtree=true roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany roleSearch=(uniqueMember={0}) roleName=cn / Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can connect to the LDAP server (Novell eDirectory) via SSL using a Java browser if I accept the certificate, so I wonder if that might have something to do with it. I've also successfully followed the Config-SSL-HOWTO, accepted the certificate from the server and setup the keystore for the connector as described, but I get the feeling that this is strictly for enabling SSL over HTTP. Thanks in advance. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
We've done exactly that. What you need to do is import the root certificate into a .keystore file. I'm not sure if Tomcat will pick up the default cacerts file, or if you always have to specify it like we did (-Djavax.net.ssl.trustStore=sys:/adminsrv/conf/.keystore etc) My guess is that you can set that in the java.security file in java\lib\security instead of specifying it on the command line. If you are doing this on a NetWare server, here is something similar to what we use to import the certificate: keytool -import -v -noprompt -trustcacerts -file sys:/public/RootCert.der -keystore sys:/adminsrv/conf/.keystore -storepass changeit If you are running eDirectory on something besides the server, I'm not exactly sure how to get the RootCert.der file, I'm guessing it can be done as an export from ConsoleOne. Oh, I just read the bottom of your message where you said you have done some work with the keystore. It looks like the documentation is a little different for just setting up the SSL connector. Try doing the import of the root certificate and see if it works any better. Good luck, Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 7/28/03 9:49:56 AM Does anyone have any experience getting ldaps working w/ the JDNIRealms in Tomcat 4.1.24? Regular LDAP is working fine, but when I change the connection URL to ldaps://ldap-host:636 I get the following error: 2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL ldaps://10.1.1.50:636 2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636 [Root exception is javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found] My Realm element in server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 resourceName=UserDatabase connectionURL=ldaps://10.1.1.50:636 connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany connectionPassword=password userBase=o=MyCompany userSearch=(amp;(cn={0})(objectClass=inetOrgPerson)) userSubtree=true roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany roleSearch=(uniqueMember={0}) roleName=cn / Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can connect to the LDAP server (Novell eDirectory) via SSL using a Java browser if I accept the certificate, so I wonder if that might have something to do with it. I've also successfully followed the Config-SSL-HOWTO, accepted the certificate from the server and setup the keystore for the connector as described, but I get the feeling that this is strictly for enabling SSL over HTTP. Thanks in advance. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
Jeff Tulley wrote: We've done exactly that. What you need to do is import the root certificate into a .keystore file. I'm not sure if Tomcat will pick up the default cacerts file, or if you always have to specify it like we did (-Djavax.net.ssl.trustStore=sys:/adminsrv/conf/.keystore etc) My guess is that you can set that in the java.security file in java\lib\security instead of specifying it on the command line. Thanks Jeff! I used the command line trick and that worked. I'm not sure about the java.security file since I'm not sure what that is. We are using another filename for the keystore and explicitly specifying it for the https configuration, so I'll bet this would work if the keystore file was the default ~/.keystore. Thanks again. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]