Re: JNDIRealm using LDAP with SSL
Did you solve your problem? I don't get the whole thing to run.
Are you really able to use *ldaps* in the connectionURL. On my system i
get the following error:
LifecycleException: Exception opening directory server connection:
javax.naming.NamingException:
Cannot parse url: ldaps://localhost:636 [Root exception is
java.net.MalformedURLException: Not an L
DAP URL: ldaps://localhost:636]
If i just use ldap://localhost:636 i get this:
LifecycleException: Exception opening directory server connection:
javax.naming.CommunicationExce
ption: Request: 1 cancelled
Both doesn't really help defending network sniffers from stealing user
data.
Hayo Schmidt
Chris Egolf schrieb:
Does anyone have any experience getting ldaps working w/ the
JDNIRealms in Tomcat 4.1.24? Regular LDAP is working fine, but when I
change the connection URL to ldaps://ldap-host:636 I get the
following error:
2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL
ldaps://10.1.1.50:636
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636
[Root exception is javax.net.ssl.SSLException: Connection has been
shutdown: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found]
My Realm element in server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
resourceName=UserDatabase
connectionURL=ldaps://10.1.1.50:636
connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany
connectionPassword=password
userBase=o=MyCompany
userSearch=(amp;(cn={0})(objectClass=inetOrgPerson))
userSubtree=true
roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany
roleSearch=(uniqueMember={0})
roleName=cn
/
Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I
can connect to the LDAP server (Novell eDirectory) via SSL using a
Java browser if I accept the certificate, so I wonder if that might
have something to do with it.
I've also successfully followed the Config-SSL-HOWTO, accepted the
certificate from the server and setup the keystore for the connector
as described, but I get the feeling that this is strictly for enabling
SSL over HTTP.
Thanks in advance.
Chris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm using LDAP with SSL
Does anyone have any experience getting ldaps working w/ the JDNIRealms in
Tomcat 4.1.24? Regular LDAP is working fine, but when I change the connection
URL to ldaps://ldap-host:636 I get the following error:
2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL ldaps://10.1.1.50:636
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing authentication
javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636 [Root
exception is javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
No trusted certificate found]
My Realm element in server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
resourceName=UserDatabase
connectionURL=ldaps://10.1.1.50:636
connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany
connectionPassword=password
userBase=o=MyCompany
userSearch=(amp;(cn={0})(objectClass=inetOrgPerson))
userSubtree=true
roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany
roleSearch=(uniqueMember={0})
roleName=cn
/
Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can connect
to the LDAP server (Novell eDirectory) via SSL using a Java browser if I accept
the certificate, so I wonder if that might have something to do with it.
I've also successfully followed the Config-SSL-HOWTO, accepted the certificate
from the server and setup the keystore for the connector as described, but I get
the feeling that this is strictly for enabling SSL over HTTP.
Thanks in advance.
Chris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
We've done exactly that. What you need to do is import the root
certificate into a .keystore file. I'm not sure if Tomcat will pick up
the default cacerts file, or if you always have to specify it like we
did (-Djavax.net.ssl.trustStore=sys:/adminsrv/conf/.keystore etc) My
guess is that you can set that in the java.security file in
java\lib\security instead of specifying it on the command line.
If you are doing this on a NetWare server, here is something similar to
what we use to import the certificate:
keytool -import -v -noprompt -trustcacerts -file
sys:/public/RootCert.der -keystore sys:/adminsrv/conf/.keystore
-storepass changeit
If you are running eDirectory on something besides the server, I'm not
exactly sure how to get the RootCert.der file, I'm guessing it can be
done as an export from ConsoleOne.
Oh, I just read the bottom of your message where you said you have done
some work with the keystore. It looks like the documentation is a
little different for just setting up the SSL connector. Try doing the
import of the root certificate and see if it works any better.
Good luck,
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
[EMAIL PROTECTED] 7/28/03 9:49:56 AM
Does anyone have any experience getting ldaps working w/ the JDNIRealms
in
Tomcat 4.1.24? Regular LDAP is working fine, but when I change the
connection
URL to ldaps://ldap-host:636 I get the following error:
2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL
ldaps://10.1.1.50:636
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636
[Root
exception is javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
No trusted certificate found]
My Realm element in server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
resourceName=UserDatabase
connectionURL=ldaps://10.1.1.50:636
connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany
connectionPassword=password
userBase=o=MyCompany
userSearch=(amp;(cn={0})(objectClass=inetOrgPerson))
userSubtree=true
roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany
roleSearch=(uniqueMember={0})
roleName=cn
/
Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can
connect
to the LDAP server (Novell eDirectory) via SSL using a Java browser if
I accept
the certificate, so I wonder if that might have something to do with
it.
I've also successfully followed the Config-SSL-HOWTO, accepted the
certificate
from the server and setup the keystore for the connector as described,
but I get
the feeling that this is strictly for enabling SSL over HTTP.
Thanks in advance.
Chris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
Jeff Tulley wrote: We've done exactly that. What you need to do is import the root certificate into a .keystore file. I'm not sure if Tomcat will pick up the default cacerts file, or if you always have to specify it like we did (-Djavax.net.ssl.trustStore=sys:/adminsrv/conf/.keystore etc) My guess is that you can set that in the java.security file in java\lib\security instead of specifying it on the command line. Thanks Jeff! I used the command line trick and that worked. I'm not sure about the java.security file since I'm not sure what that is. We are using another filename for the keystore and explicitly specifying it for the https configuration, so I'll bet this would work if the keystore file was the default ~/.keystore. Thanks again. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
