[Building Sakai] Sakai 2.8.1 LDAPS problem
İrfan SÜRAL
irfansural at gmail.com
Tue Mar 26 18:32:50 PDT 2013
Nope. I have found many articles, forum posts that describe this. I am good in search but if you look at my post I have imported keystore (most articles describe this)
That why I have sent this problem to here, there is something i missed but what.
I am not good in certificates and need more research I think.
Anyway thanks
Irfan
From: Steve Swinsburg [mailto:steve.swinsburg at gmail.com]
Sent: Wednesday, March 27, 2013 2:38 AM
To: İrfan SÜRAL
Cc: sakai-dev
Subject: Re: [Building Sakai] Sakai 2.8.1 LDAPS problem
If you do a search in your favourite search engine, you'll find heaps of articles about it. It should be straightforward to resolve
On Wed, Mar 27, 2013 at 9:45 AM, İrfan SÜRAL <irfansural at gmail.com> wrote:
Hi Steve
Thank you for reply. Can you give me some suggestions how to solve this problem?
Thanks
Irfan
From: Steve Swinsburg [mailto:steve.swinsburg at gmail.com]
Sent: Wednesday, March 27, 2013 12:24 AM
To: İrfan SÜRAL
Cc: sakai-dev
Subject: Re: [Building Sakai] Sakai 2.8.1 LDAPS problem
Hi,
You've got a problem with your certificate chain
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
cheers,
Steve
On Wed, Mar 27, 2013 at 8:41 AM, İrfan SÜRAL <irfansural at gmail.com> wrote:
Hi All,
I have configured LDAP in sakai 2.8.1 with no problem. I decide to switch to SSL + LDAP (LDAPS) to be more secure.
I have cert.pfx file which used and valid. First of all I have imported cert.pfx certificate to keystore with following command line:
keytool -importkeystore -deststorepass xxxxxx -destkeystore /opt/tomcat/bin/tomcat.keystore -srckeystore /root/cert.pfx -srcstoretype PKCS12 -srcstorepass xxxxxx
After this step I have imported to certpath with this command line:
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore $JAVA_HOME/jre/lib/security/cacerts
To test LDAPS connection I used : openssl s_client -connect ldapserver:636 -CAfile /opt/tomcat/bin/tomcat.keystore the result is ok I can see certificate which starts with -----BEGIN CERTIFICATE-----
After that I have configured Sakai 2.8.1 LDAP provider (sakai/providers/component/src/webapp/WEB-INF/jldap-beans.xml)
I configured the following lines additional to previous LDAP configuration (I have success in LDAP but not in LDAPS).
<property name="ldapPort">
<value>636</value>
</property>
<property name="keystoreLocation">
<value>/opt/tomcat/bin/tomcat.keystore</value>
</property>
<property name="keystorePassword">
<value>xxxxx</value>
</property>
<property name="secureConnection">
<value>true</value>
</property>
<property name="secureSocketFactory">
<bean class="com.novell.ldap.LDAPJSSESecureSocketFactory" />
</property>
I get the following error when LDAP user try to connect.
2013-03-26 22:01:17,288 ERROR http-443-Processor21 edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid: 11100008028]
LDAPException: I/O Exception on host ldapserver, port 636 (91) Connect Error
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.novell.ldap.Connection.writeMessage(Unknown Source)
at com.novell.ldap.Connection.writeMessage(Unknown Source)
at com.novell.ldap.Message.sendMessage(Unknown Source)
at com.novell.ldap.MessageAgent.sendMessage(Unknown Source)
To find out what happening I used few commands.
Here what I got.
Command: java -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_20/jre/lib/security/cacerts SSLPoke ldapserver 636
Output:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:73)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 15 more
openssl s_client -connect ldapserver:636 -CAfile /opt/tomcat/bin/tomcat.keystore
CONNECTED(00000003)
depth=0 CN = STUDENTDC1.xxxxxxxx.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = STUDENTDC1.xxxxxxxx.local
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = STUDENTDC1.xxxxxxxx.local
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=xxxxxxxxxxxxxxxxx
i:/DC=local/DC=xxxxxxxxx/CN=xxxxxxxxxxx-STUDENTDC1-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFkzCCBPygAwIBAgIKYQ
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SSL handshake has read 2992 bytes and written 658 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
What is the problem? Is ldap server or sakai LDAPS configuration problem?
Any help is really appreciated
Thanks
Irfan SURAL
_______________________________________________
sakai-dev mailing list
sakai-dev at collab.sakaiproject.org
http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130327/6d9e454e/attachment.html
More information about the sakai-dev
mailing list