directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Michael.Schm...@t-systems.com>
Subject LdapNetworkConnection using SSL
Date Wed, 27 Feb 2013 12:38:48 GMT
Hello,

I am currently working with version M12 of the Apache LDAP API (this was the latest version
when I began to develop). The connection to the LDAP server is established without SSL, and
it works fine.

Due to security reasons we want to change the connection to SSL. So I created a keystore file
.keystore which includes the same certificate which I am using with the Apache Directory Studio
Client to connect to the LDAP server via SSL. In the Apache Directory Studio Client, the certificate
works without problems. Trying to connect with the LDAP API results in InvalidConnectionException
at the connection.bind statement.

org.apache.directory.ldap.client.api.exception.InvalidConnectionException: SSL handshake failed.
at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3808)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1170)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1075)
at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:120)
at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:105)
at TestSSL.main(TestSSL.java:50)

Here the code to connect to the LDAP server with the LDAP API:

  boolean useSSL = true;
  LdapNetworkConnection connection = null;
  LdapConnectionConfig ldapConnectionConfig = null;
  if (useSSL) {
      ldapConnectionConfig = new LdapConnectionConfig();
      ldapConnectionConfig.setUseSsl(true);
      ldapConnectionConfig.setLdapHost(<host>);
      ldapConnectionConfig.setLdapPort(<port>);
      ldapConnectionConfig.setSslProtocol("SSLv3");
      char[] pw = null;
      KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
      try {
          FileInputStream fis = new FileInputStream(".keystore");
          pw = new String("<password>").toCharArray();
          ks.load(fis, pw);
      }
      catch (Exception e) {
          e.printStackTrace();
      }
      KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
      keyManagerFactory.init(ks, pw);
      KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
      ldapConnectionConfig.setKeyManagers(keyManagers);
      connection = new LdapNetworkConnection(ldapConnectionConfig);
  }
  else {
      connection = new LdapNetworkConnection(<host>, <port>);
  }
  try {
      connection.bind(<bind string>, <password>);
            ...
With useSSL=false the program works right.

Does anyone have an idea what is missing? Could you provide me an example which is working?

Thank you very much.

Regards
Michael Schmitz

T-Systems International GmbH
Systems Integration
GDC Big Data & BI SC BI & CRM
Michael Schmitz
Senior Consultant
Hausadresse: Fasanenweg 5, 70771 Leinfelden-Echterdingen
Postanschrift: Postfach 100258, 70746 Leinfelden
Neu: Telefon: +49 (711) 999 - 7717
Mobil: +49 (170) 863 1918
E-Mail: Michael.Schmitz@T-Systems.com
Internet: <http://www.t-systems.com<http://www.t-systems.com/>>
T-Systems International<https://systemsnet.telekom.de/tool/de_systemswiki/index.php/Enterprise_Services>
GmbH
Aufsichtsrat<https://systemsnet.telekom.de/tool/de_systemswiki/index.php/Aufsichtsrat>:
René Obermann (Vorsitzender)
Geschäftsführung: Reinhard Clemens (Vorsitzender), Dr. Ferri Abolhassan, Dr. Markus Müller,
Georg Pepping, Hagen Rickmann, Klaus Werner
Handelsregister: Amtsgericht Frankfurt am Main HRB 55933
Sitz der Gesellschaft: Frankfurt am Main
WEEE-Reg.-Nr. DE50335567

Notice: This transmittal and/or attachments may be privileged or confidential. If you are
not the intended recipient, you are hereby notified that you have received this transmittal
in error; any review, dissemination, or copying is strictly prohibited. If you received this
transmittal in error, please notify us immediately by reply and immediately delete this message
and all its attachments. Thank you.



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message