[Building Sakai] Sakai 2.8.1 LDAPS problem
Steve Swinsburg
steve.swinsburg at gmail.com
Tue Mar 26 17:37:40 PDT 2013
If you do a search in your favourite search engine, you'll find heaps of
articles about it. It should be straightforward to resolve
On Wed, Mar 27, 2013 at 9:45 AM, İrfan SÜRAL <irfansural at gmail.com> wrote:
> Hi Steve ****
>
> ** **
>
> Thank you for reply. Can you give me some suggestions how to solve this
> problem?****
>
> ** **
>
> Thanks ****
>
> ** **
>
> Irfan****
>
> ** **
>
> *From:* Steve Swinsburg [mailto:steve.swinsburg at gmail.com]
> *Sent:* Wednesday, March 27, 2013 12:24 AM
> *To:* İrfan SÜRAL
> *Cc:* sakai-dev
> *Subject:* Re: [Building Sakai] Sakai 2.8.1 LDAPS problem****
>
> ** **
>
> Hi,****
>
> ** **
>
> You've got a problem with your certificate chain****
>
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target ****
>
> ** **
>
> cheers,****
>
> Steve****
>
> ** **
>
> On Wed, Mar 27, 2013 at 8:41 AM, İrfan SÜRAL <irfansural at gmail.com> wrote:
> ****
>
> Hi All,****
>
> ****
>
> I have configured LDAP in sakai 2.8.1 with no problem. I decide to switch
> to SSL + LDAP (LDAPS) to be more secure.****
>
> ****
>
> I have cert.pfx file which used and valid. First of all I have imported
> cert.pfx certificate to keystore with following command line:****
>
> ****
>
> keytool -importkeystore -deststorepass xxxxxx -destkeystore
> /opt/tomcat/bin/tomcat.keystore -srckeystore /root/cert.pfx -srcstoretype
> PKCS12 -srcstorepass xxxxxx****
>
> ****
>
> After this step I have imported to certpath with this command line:****
>
> ****
>
> keytool -importkeystore -srckeystore tomcat.keystore -destkeystore
> $JAVA_HOME/jre/lib/security/cacerts****
>
> ****
>
> To test LDAPS connection I used : openssl s_client -connect ldapserver:636
> -CAfile /opt/tomcat/bin/tomcat.keystore the result is ok I can see
> certificate which starts with -----BEGIN CERTIFICATE-----****
>
> ****
>
> After that I have configured Sakai 2.8.1 LDAP provider
> (sakai/providers/component/src/webapp/WEB-INF/jldap-beans.xml)****
>
> ****
>
> I configured the following lines additional to previous LDAP configuration
> (I have success in LDAP but not in LDAPS).****
>
> ****
>
> <property name="ldapPort">****
>
> <value>636</value>****
>
> </property>****
>
> ****
>
> <property name="keystoreLocation">****
>
> <value>/opt/tomcat/bin/tomcat.keystore</value>****
>
> </property>****
>
> ****
>
> <property name="keystorePassword">****
>
> <value>xxxxx</value>****
>
> </property>****
>
> ****
>
> <property name="secureConnection">****
>
> <value>true</value>****
>
> </property>****
>
> ****
>
> <property name="secureSocketFactory">****
>
> <bean
> class="com.novell.ldap.LDAPJSSESecureSocketFactory" />****
>
> </property>****
>
> ****
>
> I get the following error when LDAP user try to connect.****
>
> ****
>
> 2013-03-26 22:01:17,288 ERROR http-443-Processor21
> edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid:
> 11100008028]****
>
> LDAPException: I/O Exception on host ldapserver, port 636 (91) Connect
> Error****
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target****
>
> at com.novell.ldap.Connection.writeMessage(Unknown Source)****
>
> at com.novell.ldap.Connection.writeMessage(Unknown Source)****
>
> at com.novell.ldap.Message.sendMessage(Unknown Source)****
>
> at com.novell.ldap.MessageAgent.sendMessage(Unknown Source)****
>
> ****
>
> ****
>
> ****
>
> To find out what happening I used few commands.****
>
> ****
>
> Here what I got.****
>
> ****
>
> Command: java
> -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_20/jre/lib/security/cacerts
> SSLPoke ldapserver 636 ****
>
> ****
>
> Output:****
>
> ****
>
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target****
>
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)****
>
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
> ****
>
> at sun.security.validator.Validator.validate(Validator.java:218)**
> **
>
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)**
> **
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
> ****
>
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:73)
> ****
>
> at SSLPoke.main(SSLPoke.java:31)****
>
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target****
>
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> ****
>
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)****
>
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)****
>
> ... 15 more****
>
> ****
>
> ****
>
> openssl s_client -connect ldapserver:636 -CAfile
> /opt/tomcat/bin/tomcat.keystore****
>
> ****
>
> CONNECTED(00000003)****
>
> depth=0 CN = STUDENTDC1.xxxxxxxx.local****
>
> verify error:num=20:unable to get local issuer certificate****
>
> verify return:1****
>
> depth=0 CN = STUDENTDC1.xxxxxxxx.local****
>
> verify error:num=27:certificate not trusted****
>
> verify return:1****
>
> depth=0 CN = STUDENTDC1.xxxxxxxx.local****
>
> verify error:num=21:unable to verify the first certificate****
>
> verify return:1****
>
> ---****
>
> Certificate chain****
>
> 0 s:/CN=xxxxxxxxxxxxxxxxx****
>
> i:/DC=local/DC=xxxxxxxxx/CN=xxxxxxxxxxx-STUDENTDC1-CA****
>
> ---****
>
> Server certificate****
>
> -----BEGIN CERTIFICATE-----****
>
> MIIFkzCCBPygAwIBAgIKYQ****
>
> ****
>
> Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx****
>
> Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx****
>
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx****
>
> ****
>
> SSL handshake has read 2992 bytes and written 658 bytes****
>
> ---****
>
> New, TLSv1/SSLv3, Cipher is AES128-SHA****
>
> Server public key is 2048 bit****
>
> Secure Renegotiation IS supported****
>
> Compression: NONE****
>
> Expansion: NONE****
>
> SSL-Session:****
>
> Protocol : TLSv1****
>
> Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx****
>
> Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx****
>
> ****
>
> ****
>
> What is the problem? Is ldap server or sakai LDAPS configuration problem?*
> ***
>
> Any help is really appreciated****
>
> ****
>
> Thanks****
>
> Irfan SURAL****
>
> ****
>
> ****
>
> ****
>
> ****
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130327/3b08ba6f/attachment.html
More information about the sakai-dev
mailing list