tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Tulley" <JTUL...@novell.com>
Subject Re: JNDIRealm using LDAP with SSL
Date Mon, 28 Jul 2003 17:16:50 GMT
We've done exactly that.  What you need to do is import the root
certificate into a .keystore file.  I'm not sure if Tomcat will pick up
the default cacerts file, or if you always have to specify it like we
did (-Djavax.net.ssl.trustStore=sys:/adminsrv/conf/.keystore etc)  My
guess is that you can set that in the java.security file in
java\lib\security instead of specifying it on the command line.

If you are doing this on a NetWare server, here is something similar to
what we use to import the certificate:

keytool -import -v -noprompt -trustcacerts -file
sys:/public/RootCert.der -keystore sys:/adminsrv/conf/.keystore
-storepass changeit

If you are running eDirectory on something besides the server, I'm not
exactly sure how to get the RootCert.der file, I'm guessing it can be
done as an export from ConsoleOne.  

Oh, I just read the bottom of your message where you said you have done
some work with the keystore.  It looks like the documentation is a
little different for just setting up the SSL connector.  Try doing the
import of the root certificate and see if it works any better.  

Good luck,

Jeff Tulley  (jtulley@novell.com)
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com

>>> cegolf@ugholf.net 7/28/03 9:49:56 AM >>>
Does anyone have any experience getting ldaps working w/ the JDNIRealms
in 
Tomcat 4.1.24?  Regular LDAP is working fine, but when I change the
connection 
URL to ldaps://<ldap-host>:636 I get the following error:

2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL
ldaps://10.1.1.50:636
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636
[Root 
exception is javax.net.ssl.SSLException: Connection has been shutdown:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: 
No trusted certificate found]


My Realm element in server.xml:

<Realm  className="org.apache.catalina.realm.JNDIRealm" debug="99"
                 resourceName="UserDatabase"
                 connectionURL="ldaps://10.1.1.50:636"
                
connectionName="cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany"
                 connectionPassword="password"
                 userBase="o=MyCompany"
                
userSearch="(&amp;(cn={0})(objectClass=inetOrgPerson))"
                 userSubtree="true"
                 roleBase="ou=WebAppGrp,ou=MyOU,o=MyCompany"
                 roleSearch="(uniqueMember={0})"
                 roleName="cn"
         />


Like I said, this works if connectionURL="ldap://10.1.1.50:389".  I can
connect 
to the LDAP server (Novell eDirectory) via SSL using a Java browser if
I accept 
the certificate, so I wonder if that might have something to do with
it.

I've also successfully followed the Config-SSL-HOWTO, accepted the
certificate 
from the server and setup the keystore for the connector as described,
but I get 
the feeling that this is strictly for enabling SSL over HTTP.

Thanks in advance.

Chris


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org 
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message