incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Willeke <...@willeke.com>
Subject Re: Web Container Authentication Via LDAP
Date Thu, 15 Oct 2009 08:52:08 GMT
Do you have the connector using the correct parameters for the keystore?
The entries should/could be something like:

    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
        <Connector port="8443"
                   maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
                   enableLookups="false"
                   disableUploadTimeout="true"
                   debug="99"
                   acceptCount="100"
                   scheme="https"
                   secure="true"
                   keystoreFile="<keystore_filename>"
                   keystorePass="changeit"
                   truststoreFile="<trustcacerts-filename>"
                   truststorePass="changeit"
                   clientAuth="false"
                   sslProtocol="TLS" />

-jim
Jim Willeke


On Wed, Oct 14, 2009 at 5:19 PM, Andrew Jaquith
<andrew.r.jaquith@gmail.com>wrote:

> I don't know what to tell you, exactly. You can try troubleshooting
> Tomcat's SSL connection by adding this to your CATALINA_OPTS
> environment variable:
>
> -Djavax.net.debug=all
>
> You'll see a LOT of diagnostic information as a result. You can also
> fine-tune SSL debugging so you just see trust-store issues, for
> example. See the docs here:
>
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/ReadDebug.html
>
> If that doesn't work, then you likely have deeper LDAP connectivity
> problems than just SSL certificates. You should figure out what those
> are before proceeding further with the Java certificate store
> troubleshooting.
>
> What you should do in that case is use a different LDAP client (for
> example, the Unix 'ldapsearch' command line tool) to verify that you
> can connect to LDAP outside of Tomcat. Once you know the exact base
> DN, search string, SSL setting, etc to use, you'll know how to
> configure it in Tomcat.
>
> I can't give you much more guidance than that. Please don't ask for
> detailed HOWTOs on either of these points -- Google is your friend,
> and will be friendlier to you than I am willing to be at this point.
> Frankly, this is not really a JSPWiki issue -- it's a Tomcat issue.
> You might also want to try the tomcat-user mailing list.
>
> Andrew
>
> On Mon, Oct 12, 2009 at 4:54 AM, anilkumarkatta
> <anilkumarkatta@gmail.com> wrote:
> >
> > yes, i did.
> >
> > I have multiple installation on my machine with different versions of the
> > JVM. I installed the new certicates using InstallCert.java program as
> > suggested and crosschecked those intalled cert in the cercert file using
> > keytool list command.
> >
> > still the same issue. does the application war require any .jks files or
> > .cer file. ?
> >
> > Please advice
> >
> >
> > Jim Willeke wrote:
> >>
> >> Did you look in the jre?
> >>
> >> If you are using a JDK then the file would be:
> >> \jdk1.6.0_14\jre\lib\security\cacerts
> >>
> >>
> >> -jim
> >> Jim Willeke
> >>
> >>
> >> On Fri, Oct 9, 2009 at 5:51 AM, anilkumarkatta
> >> <anilkumarkatta@gmail.com>wrote:
> >>
> >>>
> >>>
> >>> Hi All
> >>>
> >>> Thanks for you replies.
> >>>
> >>> I have tried installing the ssl for the url. but same issue.
> >>>
> >>> I took some time to check how the existing url's ssl is done in
> >>> keystore..
> >>> but find nothing in java_home/lib/security.
> >>>
> >>> how this can be no ssl certifcates in keystore?
> >>>
> >>> if they keystore is exists in app level where does it saved in
> >>> application
> >>>
> >>> Thanks again for the replies.
> >>>
> >>> -Anil
> >>>
> >>>
> >>> Andrew Jaquith-4 wrote:
> >>> >
> >>> > You are pretty new to this whole Java thing aren't you?
> >>> >
> >>> > It appears that 1) your LDAP server requires SSL (a good thing!) and
> >>> > that 2) your LDAP's SSL certificate is self-signed and therefore not
> >>> > trusted.
> >>> >
> >>> > Java keeps an internal list of SSL certs it trusts. Your self-signed
> >>> > CA is not one of them. You need to add the SSL certificate CA (that
> >>> > is, the self-signed root) to your local JSSE trusted certificate
> >>> > store. This is at $JAVA_HOME/lib/security/cacerts.
> >>> >
> >>> > The Java command line tool "keytool" can do this. You can also use
my
> >>> > SSLHelper class, part of my freshcookies-security.jar that ships with
> >>> > JSPWiki. Indeed, I wrote it for just this situation. See the docs at
> >>> > freshcookies.org
> >>> >   for details.
> >>> >
> >>> > With either aproach, you will need appprpriate admin rights to modify
> >>> > the truststore.
> >>> >
> >>> > Andrew
> >>> >
> >>> > On Oct 6, 2009, at 8:29, anilkumarkatta <anilkumarkatta@gmail.com>
> >>> > wrote:
> >>> >
> >>> >>
> >>> >>
> >>> >> ....contd.
> >>> >> Caused by: javax.net.ssl.SSLHandshakeException:
> >>> >> sun.security.validator.ValidatorException: PKIX path building
> failed:
> >>> >> sun.security.provider.certpath.SunCertPathBuilderException: unable
> >>> >> to find
> >>> >> valid certification path to requested target
> >>> >>
> >>> >>
> >>> >> anilkumarkatta wrote:
> >>> >>>
> >>> >>> Hi All
> >>> >>>
> >>> >>> I have tried to authenticate via LDAP server with all the
> >>> >>> configuration
> >>> >>> procedure explained in the URL
> >>> >>> http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP
> >>> >>> with a user provided LDAP settings, I got firewall team to
get the
> >>> >>> secure
> >>> >>> port open from where application is talking to the LDAP.
> >>> >>>
> >>> >>> i am getting this exception while start of the application
> >>> >>>
> >>> >>>
> >>> >>> 2009-10-06 22:14:04,581 [Thread-2] INFO
> >>> >>> org.apache.catalina.tribes.membership.McastService - Done sleeping,
> >>> >>> membership established, start level:4
> >>> >>> 2009-10-06 22:14:04,581 [Thread-2] INFO
> >>> >>> org.apache.catalina.tribes.membership.McastService - Sleeping
for
> >>> >>> 1000
> >>> >>> milliseconds to establish cluster membership, start level:8
> >>> >>> 2009-10-06 22:14:05,581 [Thread-2] INFO
> >>> >>> org.apache.catalina.tribes.membership.McastService - Done sleeping,
> >>> >>> membership established, start level:8
> >>> >>> 2009-10-06 22:14:06,144 [Thread-2] WARN
> >>> >>> org.apache.catalina.core.ContainerBase.[Catalina] - Exception
> >>> >>> performing
> >>> >>> authentication
> >>> >>> javax.naming.CommunicationException: simple bind failed:
> >>> >>> ARTE001.MYDOMAIN.AK.com:636 [Root exception is
> >>> >>> javax.net.ssl.SSLHandshakeException:
> >>> >>> sun.security.validator.ValidatorException: PKIX path building
> failed:
> >>> >>> sun.security.provider.certpath.SunCertPathBuilderException:
unable
> >>> >>> to find
> >>> >>> valid certification path to requested target]
> >>> >>>    at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> >>> >>>    at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> >>> >>>    at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
> >>> >>>
> >>> >>>
> >>> >>> where as when I place other deatails of the LDAP its working
fine.
> >>> >>> does this required any cerification files like .jks files..
if so
> >>> >>> where
> >>> >>> shall I place them?
> >>> >>>
> >>> >>> your replies are most welcome
> >>> >>>
> >>> >>> Regards,
> >>> >>> -Anil Katta
> >>> >>>
> >>> >>
> >>> >> --
> >>> >> View this message in context:
> >>> >>
> >>>
> http://www.nabble.com/Web-Container-Authentication-Via-LDAP-tp25767713p25767801.html
> >>> >> Sent from the JspWiki - User mailing list archive at Nabble.com.
> >>> >>
> >>> >
> >>> >
> >>>
> >>> --
> >>> View this message in context:
> >>>
> http://www.nabble.com/Web-Container-Authentication-Via-LDAP-tp25767713p25818421.html
> >>> Sent from the JspWiki - User mailing list archive at Nabble.com.
> >>>
> >>>
> >>
> >>
> >
> > --
> > View this message in context:
> http://www.nabble.com/Web-Container-Authentication-Via-LDAP-tp25767713p25852406.html
> > Sent from the JspWiki - User mailing list archive at Nabble.com.
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message