Hi all
apache-tomcat-8.0.36
java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
We are having a problem with our Single sign On config.
When using ldap - all works well.
When switiching to ldaps , the User loses to connection all together (Server
not reachable)
server.xml
Good:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://xxxxx.xxxx.com:3268";
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch
"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
bad:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://xxxxx.xxxx.com:3269"
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
Connectivity to the DC is fine (ldapsearch with ldaps works), SSL connection
itself seems to be fine, Certificates are fine, we are sending the trustore as
well. All is in the relevant cacerts too.
We have a https Server in Front and a proxy Setting to the tomcat.
/usr/java/latest/bin/java
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks
-Djavax.net.ssl.trustStorePassword=xxxxxx -Djdk.tls.ephemeralDHKeySize=2048
-Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false
-Duser.timezone=Europe/Berlin
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath
/opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
-Dcatalina.base=/opt/tomcat/tomcat8_appway1
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
org.apache.catalina.startup.Bootstrap start
We do not see a direct Error in the Catalina.out
Domain controller seems to close the connection. The Error is "The Parameter is
incorrect", "The System cannot find the path specified."
What are we missing?
Do I need to configure some SSL Realm in the server.xml as well?
Thank you
Susan Wood
____________________________________________________________________________
System Engineering
Telefon +41-58-223 70 83
Mobile +41-79-375 34 58
susan.w...@swisscom.com<mailto:susan.w...@swisscom.com>
____________________________________________________________________________
Swisscom (Schweiz) AG
Business Customers
Solution Center Banking
Ey 10
3063 Ittigen
www.swisscom.com
Postadresse:
Postfach
3050 Bern
