[Building Sakai] Sakai 2.8.1 LDAPS problem
İrfan SÜRAL
irfansural at gmail.com
Tue Mar 26 14:41:24 PDT 2013
Hi All,
I have configured LDAP in sakai 2.8.1 with no problem. I decide to switch to
SSL + LDAP (LDAPS) to be more secure.
I have cert.pfx file which used and valid. First of all I have imported
cert.pfx certificate to keystore with following command line:
keytool -importkeystore -deststorepass xxxxxx -destkeystore
/opt/tomcat/bin/tomcat.keystore -srckeystore /root/cert.pfx -srcstoretype
PKCS12 -srcstorepass xxxxxx
After this step I have imported to certpath with this command line:
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore
$JAVA_HOME/jre/lib/security/cacerts
To test LDAPS connection I used : openssl s_client -connect ldapserver:636
-CAfile /opt/tomcat/bin/tomcat.keystore the result is ok I can see
certificate which starts with -----BEGIN CERTIFICATE-----
After that I have configured Sakai 2.8.1 LDAP provider
(sakai/providers/component/src/webapp/WEB-INF/jldap-beans.xml)
I configured the following lines additional to previous LDAP configuration
(I have success in LDAP but not in LDAPS).
<property name="ldapPort">
<value>636</value>
</property>
<property name="keystoreLocation">
<value>/opt/tomcat/bin/tomcat.keystore</value>
</property>
<property name="keystorePassword">
<value>xxxxx</value>
</property>
<property name="secureConnection">
<value>true</value>
</property>
<property name="secureSocketFactory">
<bean
class="com.novell.ldap.LDAPJSSESecureSocketFactory" />
</property>
I get the following error when LDAP user try to connect.
2013-03-26 22:01:17,288 ERROR http-443-Processor21
edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid:
11100008028]
LDAPException: I/O Exception on host ldapserver, port 636 (91) Connect Error
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at com.novell.ldap.Connection.writeMessage(Unknown Source)
at com.novell.ldap.Connection.writeMessage(Unknown Source)
at com.novell.ldap.Message.sendMessage(Unknown Source)
at com.novell.ldap.MessageAgent.sendMessage(Unknown Source)
To find out what happening I used few commands.
Here what I got.
Command: java
-Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_20/jre/lib/security/cacerts
SSLPoke ldapserver 636
Output:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerI
mpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
stManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
stManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
aker.java:1053)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshake
r.java:128)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884
)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocket
Impl.java:1120)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:62
3)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:73)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBui
lder.java:174)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 15 more
openssl s_client -connect ldapserver:636 -CAfile
/opt/tomcat/bin/tomcat.keystore
CONNECTED(00000003)
depth=0 CN = STUDENTDC1.xxxxxxxx.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = STUDENTDC1.xxxxxxxx.local
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = STUDENTDC1.xxxxxxxx.local
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=xxxxxxxxxxxxxxxxx
i:/DC=local/DC=xxxxxxxxx/CN=xxxxxxxxxxx-STUDENTDC1-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFkzCCBPygAwIBAgIKYQ
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SSL handshake has read 2992 bytes and written 658 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
What is the problem? Is ldap server or sakai LDAPS configuration problem?
Any help is really appreciated
Thanks
Irfan SURAL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130326/cc225784/attachment.html
More information about the sakai-dev
mailing list