LDAPS truststore configuration is separate from truststore for client certs [1].
" 3. Trusting the LDAP Server’s public key - if the LDAP Server’s identity certificate is issued by a well known and trusted certificate authority and is already represented in the JRE’s cacerts truststore then you don’t need to do anything for trusting the LDAP server’s cert. If, however, the cert is selfsigned or issued by an untrusted authority you will need to either add it to the cacerts keystore or to another truststore that you may direct Knox to utilize through a system property." I believe the mentioned truststore system property would be the standard " javax.net.ssl.trustStrore". HTH. 1. https://knox.apache.org/books/knox-0-14-0/user-guide.html#LDAP+over+SSL+(LDAPS)+Configuration On Sat, Jan 6, 2018 at 7:30 PM, Sandeep More <[email protected]> wrote: > Hello Andrey, > > Sorry, missed your email somehow. > Using the gateway.truststore.path property should have worked, also I have > had success with -Djavax.net.ssl.trustStore (note, truststore). > > I think there is something funny going on, gateway.truststore.path should > work, check gateway.log with DEBUG enabled, I believe it should log the > keystore/truststore location used by Knox. > can you try with -Djavax.net.ssl.trustStore =my_truststore_path when you > start gateway (updating gateway.sh) ? and share the logs, that should help > troubleshooting. > > Best, > Sandeep > > > On Fri, Jan 5, 2018 at 12:41 PM, Markovich <[email protected]> wrote: > >> Any ideas? >> >> Regards, >> Andrey >> >> 2017-12-30 2:37 GMT+03:00 Андрей Ривкин <[email protected]>: >> >>> Hello Knox users! >>> >>> >>> >>> I’d like to use Knox with LDAPS, but with corporate certificate. >>> >>> I don’t want to add this cert to Java trustStore. I have another one. >>> >>> How to tell Knox (shiro) to use my truststore? >>> >>> >>> >>> All my experiments failed with: >>> >>> >>> >>> *Root exception is javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target* >>> >>> >>> >>> Then I’ve enabled *-Djavax.net.debug=all* and was able to see this: >>> >>> >>> >>> SEND TLSv1.2 ALERT: fatal, description = certificate_unknown >>> >>> handling exception: javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>> find valid certification path to requested target >>> >>> >>> >>> And finally this: >>> >>> >>> >>> trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts >>> >>> trustStore type is : jks >>> >>> trustStore provider is : >>> >>> init truststore >>> >>> >>> >>> Also I’ve tried to *add -Djavax.net.ssl.keyStore=my_truststore_path >>> -Djavax.net.ssl.keyStorePassword=my_truststore_password* after >>> *-Djavax.net.debug=all. >>> * >>> >>> Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts >>> >>> >>> >>> I’ve also told knox to use my truststore using this: >>> >>> >>> >>> gateway.truststore.path >>> >>> Fully qualified path to the trust store to use. Default is the >>> gateway.jks. >>> >>> >>> >>> And this >>> >>> knoxcli.sh create-alias gateway-truststore-password --value {pwd} >>> >>> >>> >>> Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts >>> >>> >>> >>> >>> >>> So now I’m out of ideas… >>> >>> I’ve also wanted to tell right shiro where my trustStore is, but got >>> this: >>> >>> >>> >>> 2017-12-29 18:21:33,091 ERROR env.EnvironmentLoader >>> (EnvironmentLoader.java:initEnvironment(146)) - Shiro environment >>> initialization failed >>> >>> org.apache.shiro.config.ConfigurationException: Property 'trustStore' >>> does not exist for object of type org.apache.hadoop.gateway.shir >>> orealm.KnoxLdapRealm. >>> >>> >>> >>> >>> >>> So, how to tell Shiro to use my truststore? >>> >>> >>> >>> Best regards, >>> >>> Andrey >>> >> >> >
