jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: Web Container Authentication Via LDAP
Date Wed, 14 Oct 2009 21:19:34 GMT
I don't know what to tell you, exactly. You can try troubleshooting
Tomcat's SSL connection by adding this to your CATALINA_OPTS
environment variable:

-Djavax.net.debug=all

You'll see a LOT of diagnostic information as a result. You can also
fine-tune SSL debugging so you just see trust-store issues, for
example. See the docs here:

http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/ReadDebug.html

If that doesn't work, then you likely have deeper LDAP connectivity
problems than just SSL certificates. You should figure out what those
are before proceeding further with the Java certificate store
troubleshooting.

What you should do in that case is use a different LDAP client (for
example, the Unix 'ldapsearch' command line tool) to verify that you
can connect to LDAP outside of Tomcat. Once you know the exact base
DN, search string, SSL setting, etc to use, you'll know how to
configure it in Tomcat.

I can't give you much more guidance than that. Please don't ask for
detailed HOWTOs on either of these points -- Google is your friend,
and will be friendlier to you than I am willing to be at this point.
Frankly, this is not really a JSPWiki issue -- it's a Tomcat issue.
You might also want to try the tomcat-user mailing list.

Andrew

On Mon, Oct 12, 2009 at 4:54 AM, anilkumarkatta
<anilkumarkatta@gmail.com> wrote:
>
> yes, i did.
>
> I have multiple installation on my machine with different versions of the
> JVM. I installed the new certicates using InstallCert.java program as
> suggested and crosschecked those intalled cert in the cercert file using
> keytool list command.
>
> still the same issue. does the application war require any .jks files or
> .cer file. ?
>
> Please advice
>
>
> Jim Willeke wrote:
>>
>> Did you look in the jre?
>>
>> If you are using a JDK then the file would be:
>> \jdk1.6.0_14\jre\lib\security\cacerts
>>
>>
>> -jim
>> Jim Willeke
>>
>>
>> On Fri, Oct 9, 2009 at 5:51 AM, anilkumarkatta
>> <anilkumarkatta@gmail.com>wrote:
>>
>>>
>>>
>>> Hi All
>>>
>>> Thanks for you replies.
>>>
>>> I have tried installing the ssl for the url. but same issue.
>>>
>>> I took some time to check how the existing url's ssl is done in
>>> keystore..
>>> but find nothing in java_home/lib/security.
>>>
>>> how this can be no ssl certifcates in keystore?
>>>
>>> if they keystore is exists in app level where does it saved in
>>> application
>>>
>>> Thanks again for the replies.
>>>
>>> -Anil
>>>
>>>
>>> Andrew Jaquith-4 wrote:
>>> >
>>> > You are pretty new to this whole Java thing aren't you?
>>> >
>>> > It appears that 1) your LDAP server requires SSL (a good thing!) and
>>> > that 2) your LDAP's SSL certificate is self-signed and therefore not
>>> > trusted.
>>> >
>>> > Java keeps an internal list of SSL certs it trusts. Your self-signed
>>> > CA is not one of them. You need to add the SSL certificate CA (that
>>> > is, the self-signed root) to your local JSSE trusted certificate
>>> > store. This is at $JAVA_HOME/lib/security/cacerts.
>>> >
>>> > The Java command line tool "keytool" can do this. You can also use my
>>> > SSLHelper class, part of my freshcookies-security.jar that ships with
>>> > JSPWiki. Indeed, I wrote it for just this situation. See the docs at
>>> > freshcookies.org
>>> >   for details.
>>> >
>>> > With either aproach, you will need appprpriate admin rights to modify
>>> > the truststore.
>>> >
>>> > Andrew
>>> >
>>> > On Oct 6, 2009, at 8:29, anilkumarkatta <anilkumarkatta@gmail.com>
>>> > wrote:
>>> >
>>> >>
>>> >>
>>> >> ....contd.
>>> >> Caused by: javax.net.ssl.SSLHandshakeException:
>>> >> sun.security.validator.ValidatorException: PKIX path building failed:
>>> >> sun.security.provider.certpath.SunCertPathBuilderException: unable
>>> >> to find
>>> >> valid certification path to requested target
>>> >>
>>> >>
>>> >> anilkumarkatta wrote:
>>> >>>
>>> >>> Hi All
>>> >>>
>>> >>> I have tried to authenticate via LDAP server with all the
>>> >>> configuration
>>> >>> procedure explained in the URL
>>> >>> http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP
>>> >>> with a user provided LDAP settings, I got firewall team to get the
>>> >>> secure
>>> >>> port open from where application is talking to the LDAP.
>>> >>>
>>> >>> i am getting this exception while start of the application
>>> >>>
>>> >>>
>>> >>> 2009-10-06 22:14:04,581 [Thread-2] INFO
>>> >>> org.apache.catalina.tribes.membership.McastService - Done sleeping,
>>> >>> membership established, start level:4
>>> >>> 2009-10-06 22:14:04,581 [Thread-2] INFO
>>> >>> org.apache.catalina.tribes.membership.McastService - Sleeping for
>>> >>> 1000
>>> >>> milliseconds to establish cluster membership, start level:8
>>> >>> 2009-10-06 22:14:05,581 [Thread-2] INFO
>>> >>> org.apache.catalina.tribes.membership.McastService - Done sleeping,
>>> >>> membership established, start level:8
>>> >>> 2009-10-06 22:14:06,144 [Thread-2] WARN
>>> >>> org.apache.catalina.core.ContainerBase.[Catalina] - Exception
>>> >>> performing
>>> >>> authentication
>>> >>> javax.naming.CommunicationException: simple bind failed:
>>> >>> ARTE001.MYDOMAIN.AK.com:636 [Root exception is
>>> >>> javax.net.ssl.SSLHandshakeException:
>>> >>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> >>> sun.security.provider.certpath.SunCertPathBuilderException: unable
>>> >>> to find
>>> >>> valid certification path to requested target]
>>> >>>    at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
>>> >>>    at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
>>> >>>    at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
>>> >>>
>>> >>>
>>> >>> where as when I place other deatails of the LDAP its working fine.
>>> >>> does this required any cerification files like .jks files.. if so
>>> >>> where
>>> >>> shall I place them?
>>> >>>
>>> >>> your replies are most welcome
>>> >>>
>>> >>> Regards,
>>> >>> -Anil Katta
>>> >>>
>>> >>
>>> >> --
>>> >> View this message in context:
>>> >>
>>> http://www.nabble.com/Web-Container-Authentication-Via-LDAP-tp25767713p25767801.html
>>> >> Sent from the JspWiki - User mailing list archive at Nabble.com.
>>> >>
>>> >
>>> >
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Web-Container-Authentication-Via-LDAP-tp25767713p25818421.html
>>> Sent from the JspWiki - User mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Web-Container-Authentication-Via-LDAP-tp25767713p25852406.html
> Sent from the JspWiki - User mailing list archive at Nabble.com.
>
>

Mime
View raw message