From api-return-366-apmail-directory-api-archive=directory.apache.org@directory.apache.org Wed Feb 27 13:39:58 2013 Return-Path: X-Original-To: apmail-directory-api-archive@minotaur.apache.org Delivered-To: apmail-directory-api-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0AE21DCFE for ; Wed, 27 Feb 2013 13:39:58 +0000 (UTC) Received: (qmail 31148 invoked by uid 500); 27 Feb 2013 13:39:58 -0000 Delivered-To: apmail-directory-api-archive@directory.apache.org Received: (qmail 31115 invoked by uid 500); 27 Feb 2013 13:39:57 -0000 Mailing-List: contact api-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: api@directory.apache.org Delivered-To: mailing list api@directory.apache.org Received: (qmail 31107 invoked by uid 99); 27 Feb 2013 13:39:57 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Feb 2013 13:39:57 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [80.149.113.205] (HELO tcmail93.telekom.de) (80.149.113.205) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Feb 2013 13:39:51 +0000 Received: from he111510.emea1.cds.t-internal.com ([10.206.92.113]) by tcmail91.telekom.de with ESMTP/TLS/AES128-SHA; 27 Feb 2013 14:39:30 +0100 Received: from HE111489.emea1.cds.t-internal.com ([10.206.92.86]) by HE111510.emea1.cds.t-internal.com ([::1]) with mapi; Wed, 27 Feb 2013 14:39:30 +0100 From: To: , Date: Wed, 27 Feb 2013 14:39:28 +0100 Subject: AW: LdapNetworkConnection using SSL Thread-Topic: LdapNetworkConnection using SSL Thread-Index: Ac4U6ykXVbrKr2jZRVCiyf8dEPT+zgABEbdA Message-ID: <864A0E3D60C29349BA08BF1B2B1050CFF8B336AFF4@HE111489.emea1.cds.t-internal.com> References: <864A0E3D60C29349BA08BF1B2B1050CFF8B336AF20@HE111489.emea1.cds.t-internal.com> <512E048A.5090708@gmail.com> In-Reply-To: <512E048A.5090708@gmail.com> Accept-Language: de-DE Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Hello Emmanuel, thank you very much for your answer. The key advice is to use a TrustManage= r instead of a KeyManager. After replacing the KeyManager with a TrustManag= er my program works. So my problem is solved. Regards Michael Schmitz -----Urspr=FCngliche Nachricht----- Von: Emmanuel L=E9charny [mailto:elecharny@gmail.com]=20 Gesendet: Mittwoch, 27. Februar 2013 14:05 An: api@directory.apache.org Betreff: Re: LdapNetworkConnection using SSL You should not use SSL, but startTLS. Using SSL in LDPA has been deprecated. Not that it does not work, but it's = not the way to secure your connection to the server, as it requires a secon= d port. Doing something like : LdapConnectionConfig tlsConfig =3D new LdapConnectionConfig(); tlsConfig.setLdapHost( ... ); tlsConfig.setLdapPort( ... ); tlsConfig.setTrustManagers( ); connection =3D new LdapNetworkConnection( tlsConfig ); connection.connect(); connection.startTls(); connection.bind( ... ); is the correct way to connect to a LDAP server. Le 2/27/13 1:38 PM, Michael.Schmitz@t-systems.com a =E9crit : > Hello, > > I am currently working with version M12 of the Apache LDAP API (this was = the latest version when I began to develop). The connection to the LDAP ser= ver is established without SSL, and it works fine. > > Due to security reasons we want to change the connection to SSL. So I cre= ated a keystore file .keystore which includes the same certificate which I = am using with the Apache Directory Studio Client to connect to the LDAP ser= ver via SSL. In the Apache Directory Studio Client, the certificate works w= ithout problems. Trying to connect with the LDAP API results in InvalidConn= ectionException at the connection.bind statement. > > org.apache.directory.ldap.client.api.exception.InvalidConnectionException= : SSL handshake failed. > at=20 > org.apache.directory.ldap.client.api.LdapNetworkConnection.writeReques > t(LdapNetworkConnection.java:3808) > at=20 > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(L > dapNetworkConnection.java:1170) at=20 > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNe > tworkConnection.java:1075) at=20 > org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(Abstr > actLdapConnection.java:120) at=20 > org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(Abstr > actLdapConnection.java:105) > at TestSSL.main(TestSSL.java:50) > > Here the code to connect to the LDAP server with the LDAP API: > > boolean useSSL =3D true; > LdapNetworkConnection connection =3D null; > LdapConnectionConfig ldapConnectionConfig =3D null; > if (useSSL) { > ldapConnectionConfig =3D new LdapConnectionConfig(); > ldapConnectionConfig.setUseSsl(true); > ldapConnectionConfig.setLdapHost(); > ldapConnectionConfig.setLdapPort(); > ldapConnectionConfig.setSslProtocol("SSLv3"); > char[] pw =3D null; > KeyStore ks =3D KeyStore.getInstance(KeyStore.getDefaultType()); > try { > FileInputStream fis =3D new FileInputStream(".keystore"); > pw =3D new String("").toCharArray(); > ks.load(fis, pw); > } > catch (Exception e) { > e.printStackTrace(); > } > KeyManagerFactory keyManagerFactory =3D KeyManagerFactory.getInstan= ce("SunX509"); > keyManagerFactory.init(ks, pw); > KeyManager[] keyManagers =3D keyManagerFactory.getKeyManagers(); > ldapConnectionConfig.setKeyManagers(keyManagers); > connection =3D new LdapNetworkConnection(ldapConnectionConfig); > } > else { > connection =3D new LdapNetworkConnection(, ); > } > try { > connection.bind(, ); > ... > With useSSL=3Dfalse the program works right. > > Does anyone have an idea what is missing? Could you provide me an example= which is working? > > Thank you very much. > > Regards > Michael Schmitz > > T-Systems International GmbH > Systems Integration > GDC Big Data & BI SC BI & CRM > Michael Schmitz > Senior Consultant > Hausadresse: Fasanenweg 5, 70771 Leinfelden-Echterdingen > Postanschrift: Postfach 100258, 70746 Leinfelden > Neu: Telefon: +49 (711) 999 - 7717 > Mobil: +49 (170) 863 1918 > E-Mail: Michael.Schmitz@T-Systems.com > Internet: > > T-Systems=20 > International php/Enterprise_Services> GmbH > Aufsichtsrat hp/Aufsichtsrat>: Ren=E9 Obermann (Vorsitzender) > Gesch=E4ftsf=FChrung: Reinhard Clemens (Vorsitzender), Dr. Ferri=20 > Abolhassan, Dr. Markus M=FCller, Georg Pepping, Hagen Rickmann, Klaus=20 > Werner > Handelsregister: Amtsgericht Frankfurt am Main HRB 55933 Sitz der=20 > Gesellschaft: Frankfurt am Main WEEE-Reg.-Nr. DE50335567 > > Notice: This transmittal and/or attachments may be privileged or confiden= tial. If you are not the intended recipient, you are hereby notified that y= ou have received this transmittal in error; any review, dissemination, or c= opying is strictly prohibited. If you received this transmittal in error, p= lease notify us immediately by reply and immediately delete this message an= d all its attachments. Thank you. > > > -- Regards, Cordialement, Emmanuel L=E9charny www.iktek.com=20