[Building Sakai] Sakai 2.8.1 LDAPS problem

İrfan SÜRAL irfansural at gmail.com
Tue Mar 26 18:32:50 PDT 2013 

Nope. I have found many articles, forum posts that describe this. I am good in search but if you look at my post I have imported keystore (most articles describe this)

 

That why I have sent this problem to here, there is something i missed but what.

I am not good in certificates and need more research I think.

 

Anyway thanks

 

Irfan

 

From: Steve Swinsburg [mailto:steve.swinsburg at gmail.com] 
Sent: Wednesday, March 27, 2013 2:38 AM
To: İrfan SÜRAL
Cc: sakai-dev
Subject: Re: [Building Sakai] Sakai 2.8.1 LDAPS problem

 

If you do a search in your favourite search engine, you'll find heaps of articles about it. It should be straightforward to resolve

 

On Wed, Mar 27, 2013 at 9:45 AM, İrfan SÜRAL <irfansural at gmail.com> wrote:

Hi Steve 

 

Thank you for reply. Can you give me some suggestions how to solve this problem?

 

Thanks 

 

Irfan

 

From: Steve Swinsburg [mailto:steve.swinsburg at gmail.com] 
Sent: Wednesday, March 27, 2013 12:24 AM
To: İrfan SÜRAL
Cc: sakai-dev
Subject: Re: [Building Sakai] Sakai 2.8.1 LDAPS problem

 

Hi,

 

You've got a problem with your certificate chain

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

 

cheers,

Steve

 

On Wed, Mar 27, 2013 at 8:41 AM, İrfan SÜRAL <irfansural at gmail.com> wrote:

Hi All,

 

I have configured LDAP in sakai 2.8.1 with no problem. I decide to switch to SSL + LDAP (LDAPS) to be more secure.

 

I have cert.pfx file which used and valid.  First of all I have imported cert.pfx certificate to keystore with following command line:

 

keytool -importkeystore -deststorepass xxxxxx -destkeystore /opt/tomcat/bin/tomcat.keystore -srckeystore /root/cert.pfx -srcstoretype PKCS12 -srcstorepass xxxxxx

 

After this step I have imported to certpath with this command line:

 

keytool -importkeystore -srckeystore tomcat.keystore -destkeystore $JAVA_HOME/jre/lib/security/cacerts

 

To test LDAPS connection I used : openssl s_client -connect ldapserver:636 -CAfile /opt/tomcat/bin/tomcat.keystore   the result is ok I can see certificate which starts with -----BEGIN CERTIFICATE-----

 

After that I have configured Sakai 2.8.1 LDAP provider (sakai/providers/component/src/webapp/WEB-INF/jldap-beans.xml)

 

I configured the following lines additional to previous LDAP configuration (I have success in LDAP but not in LDAPS).

 

<property name="ldapPort">

                        <value>636</value>

                </property>

 

<property name="keystoreLocation">

                        <value>/opt/tomcat/bin/tomcat.keystore</value>

                </property>

 

<property name="keystorePassword">

                        <value>xxxxx</value>

                </property>

 

<property name="secureConnection">

                        <value>true</value>

                </property>

 

<property name="secureSocketFactory">

                        <bean class="com.novell.ldap.LDAPJSSESecureSocketFactory" />

                </property>

 

I get the following error when LDAP user try to connect.

 

2013-03-26 22:01:17,288 ERROR http-443-Processor21 edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid: 11100008028]

LDAPException: I/O Exception on host ldapserver, port 636 (91) Connect Error

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at com.novell.ldap.Connection.writeMessage(Unknown Source)

        at com.novell.ldap.Connection.writeMessage(Unknown Source)

        at com.novell.ldap.Message.sendMessage(Unknown Source)

        at com.novell.ldap.MessageAgent.sendMessage(Unknown Source)

 

 

 

To find out what happening I used few commands.

 

Here what I got.

 

Command:  java -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_20/jre/lib/security/cacerts SSLPoke ldapserver 636 

 

Output:

 

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)

        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)

        at sun.security.validator.Validator.validate(Validator.java:218)

        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)

        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)

        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)

        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)

        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)

        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)

        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)

        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)

        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:73)

        at SSLPoke.main(SSLPoke.java:31)

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)

        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)

        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)

        ... 15 more

 

 

openssl s_client -connect ldapserver:636 -CAfile /opt/tomcat/bin/tomcat.keystore

 

CONNECTED(00000003)

depth=0 CN = STUDENTDC1.xxxxxxxx.local

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = STUDENTDC1.xxxxxxxx.local

verify error:num=27:certificate not trusted

verify return:1

depth=0 CN = STUDENTDC1.xxxxxxxx.local

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=xxxxxxxxxxxxxxxxx

   i:/DC=local/DC=xxxxxxxxx/CN=xxxxxxxxxxx-STUDENTDC1-CA

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFkzCCBPygAwIBAgIKYQ

 

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

SSL handshake has read 2992 bytes and written 658 bytes

---

New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

 

What is the problem? Is ldap server or sakai LDAPS configuration problem?

Any help is really appreciated

 

Thanks

Irfan SURAL

 

 

 

 


_______________________________________________
sakai-dev mailing list
sakai-dev at collab.sakaiproject.org
http://collab.sakaiproject.org/mailman/listinfo/sakai-dev

TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130327/6d9e454e/attachment.html

More information about the sakai-dev mailing list