directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Zoerner <>
Subject Re: Using Ldaps With Apacheds 1.5.5
Date Wed, 17 Dec 2008 19:30:16 GMT
Hi William,

William Wilkins wrote:
> I am attempting to enabled ldaps using the apacheds 1.5.5 revision 
> 725332. I am unsure of where to specify the external keystore file I 
> would like to use for secure authentication. The 1.0 branch used spring 
> with the MutableServerConfuration bean but I cannot find where that 
> should be set in the 1.5 branch. The apacheds server seems to have a 
> TlsKeyGenerator now but it does not seem to be configurable outside of 
> the source code.

In 1.5, ApacheDS creates a Key Pair when it starts the first time, and 
stores it in the DIT.

To be more concrete the keys are stored in the entry uid=admin,ou=system

It is possible to change the values, but unfortunatly, there is no 
tooling to support you here.

> Does apacheds only support its own keypair sets now? If no where do I 
> specify my own keystore files? If yes do I have to edit the source to 
> adjust the key generator parameters or is there an xbean adjustment for 
> them?

Currently, I assume yes. Does anybody know it better on the list?

> Assuming the server generates the keypair the wrapper.log shows that the 
> ldaps service is started but then I receive the following error.
> WARN [] - 
> [/] Unexpected exception forcing session to close: 
> sending disconnect notice to client.
> SSL handshake failed. at 
> org.apache.mina.filter.SSLFilter.messageReceived(
> at ...
> The SSL message exception leads me to think the server doesn't generate 
> certificates needed for encryption which brings up the question of why 
> should the ldaps service start if it is unable to be utilized?

I assume the error occures because the client does not trust the 
certificate, the server creates.

At least I am able to connect to my 1.5.4 server with SSL, if I use a 
client which does not trust the certificate, I get the same error.

View raw message