directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: LdapNetworkConnection - SSL handshake failed
Date Tue, 18 Mar 2014 17:21:07 GMT
On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos <flaviomattos86@gmail.com>wrote:

> Hi Kiran.. thank you for replying my message...
>
> I tried to do what you suggested and it did not work. I have attached the
> stack trace.. it keeps giving me LdapNetworkConnection - SSL handshake
> failed.
>
please post the stacktrace as well

>
> public static void initConnection() throws LdapException, IOException {
>      if (conn == null) {
>             LdapConnectionConfig connectionConfig = new
> LdapConnectionConfig();
>             connectionConfig.setLdapHost("myhost");
>             connectionConfig.setLdapPort(636);
>             connectionConfig.setName("cn=Manager,dc=example,dc=com");
>             connectionConfig.setCredentials("mypass");
>             connectionConfig.setUseSsl(true);
>             connectionConfig.setSslProtocol("SSLv3");
>             conn = new LdapNetworkConnection(connectionConfig);
>
>             conn.connect();
>             conn.bind();
>
>         }
> }
>
> I also tried the following code using tls and trustmanagers but this time
> it gives me a Protocol error
>
> org.apache.directory.api.ldap.model.exception.LdapOperationException:
> PROTOCOL_ERROR: The server will disconnect!
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)
>
> public static void initConnection() throws LdapException, IOException {
>
>
>         if (conn == null) {
>             LdapConnectionConfig connectionConfig = new
> LdapConnectionConfig();
>
>             try {
>
>                 FileInputStream fis = new FileInputStream("server.jks");
>
>                 TrustManagerFactory tmf =
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
>
>                 KeyStore keyStore =
> KeyStore.getInstance(KeyStore.getDefaultType());
>
>                 char[] password = new String("myCertPass").toCharArray();
>
>                 keyStore.load(fis, password);
>
>                 tmf.init(keyStore);
>
>                 connectionConfig.setTrustManagers(tmf.getTrustManagers());
>
>             } catch (NoSuchAlgorithmException ex) {
>                 ex.printStackTrace(System.out);
>             } catch (KeyStoreException ex) {
>                 ex.printStackTrace(System.out);
>             } catch (CertificateException ex) {
>                 ex.printStackTrace(System.out);
>             }
>
>             connectionConfig.setLdapHost("myhost");
>             connectionConfig.setLdapPort(636);
>             connectionConfig.setName("cn=Manager,dc=example,dc=com");
>             connectionConfig.setCredentials("mypass");
>             connectionConfig.setSslProtocol("SSLv3");
>             connectionConfig.setUseTls(true);
>             conn = new LdapNetworkConnection(connectionConfig);
>             conn.connect();
>             conn.startTls();
>
>         }
>
>     }
>
>
> Thanks in advance
>
> Flavio
>
>
> On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <kayyagari@apache.org>wrote:
>
>> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <flaviomattos86@gmail.com
>> >wrote:
>>
>> > Hi guys..
>> >
>> > I have been trying to connect to an open ldap server using ssl/ldaps
>> > I can connect to that server using apache studio(via ldaps) and I would
>> > like to connect to the same server using the apache api.
>> >
>> > This is the code... One detail is that I generated the key in the server
>> > using openssl
>> >
>> >
>> > Then I have done some research and some people say that I need to
>> generate
>> > a key in the java pattern.. so  then I generated a PKCS #12 key store
>> using
>> > something like
>> >
>> > you don't need to do this unless you want your client to be verified
>> with
>> the server
>>
>> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
>> > and then
>> > keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks
>> > -srcstoretype pkcs12
>> >
>> >
>> > I have attached the stacktrace..
>> > The exception happens in the bind method
>> >
>> > public static void initConnection() throws LdapException, IOException {
>> >
>> > LdapConnection conn ...
>> >
>> >         if (conn == null) {
>> >             LdapConnectionConfig connectionConfig = new
>> > LdapConnectionConfig();
>> >             KeyManagerFactory keyManagerFactory = null;
>> >             try {
>> >
>> >                 FileInputStream fis = new FileInputStream("server.jks");
>> >
>> >
>> >                 keyManagerFactory =
>> > KeyManagerFactory.getInstance("SunX509");
>> >                 KeyStore keyStore =
>> > KeyStore.getInstance(KeyStore.getDefaultType());
>> >                 char[] password = new String("mykeyPass").toCharArray();
>> >
>> >                 keyStore.load(fis, password);
>> >
>> >                 keyManagerFactory.init(keyStore, password);
>> >
>> >                 keyManagerFactory.getKeyManagers();
>> >
>> > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
>> >
>> >             } catch (NoSuchAlgorithmException ex) {
>> >                 ex.printStackTrace(System.out);
>> >             } catch (KeyStoreException ex) {
>> >                 ex.printStackTrace(System.out);
>> >             } catch (UnrecoverableKeyException ex) {
>> >                 ex.printStackTrace(System.out);
>> >             } catch (CertificateException ex) {
>> >                 ex.printStackTrace(System.out);
>> >             }
>> >
>> >
>> just drop all the above KeyManager code and the client will work.
>>
>> >             connectionConfig.setLdapHost("myhost");
>> >             connectionConfig.setLdapPort(636);
>> >             connectionConfig.setName("cn=Manager,dc=example,dc=com");
>> >             connectionConfig.setCredentials("mypass");
>> >             connectionConfig.setUseSsl(true);
>> >             connectionConfig.setSslProtocol("SSLv3");
>> >             conn = new LdapNetworkConnection(connectionConfig);
>> >
>> >             conn.connect();
>> >     conn.bind();
>> >
>> >         }
>> >
>> > note that by default the client will trust any X509 certificate used by
>> the server, if you want
>> to restrict it then a custom trust manager must be provided and set using
>> connectionConfig.setTrustManagers()
>>
>> > Thanks
>> > Flavio
>> >
>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message