tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Tulley" <>
Subject Re: JNDIRealm using LDAP with SSL
Date Mon, 28 Jul 2003 17:16:50 GMT
We've done exactly that.  What you need to do is import the root
certificate into a .keystore file.  I'm not sure if Tomcat will pick up
the default cacerts file, or if you always have to specify it like we
did ( etc)  My
guess is that you can set that in the file in
java\lib\security instead of specifying it on the command line.

If you are doing this on a NetWare server, here is something similar to
what we use to import the certificate:

keytool -import -v -noprompt -trustcacerts -file
sys:/public/RootCert.der -keystore sys:/adminsrv/conf/.keystore
-storepass changeit

If you are running eDirectory on something besides the server, I'm not
exactly sure how to get the RootCert.der file, I'm guessing it can be
done as an export from ConsoleOne.  

Oh, I just read the bottom of your message where you said you have done
some work with the keystore.  It looks like the documentation is a
little different for just setting up the SSL connector.  Try doing the
import of the root certificate and see if it works any better.  

Good luck,

Jeff Tulley  (
Novell, Inc., The Leading Provider of Net Business Solutions

>>> 7/28/03 9:49:56 AM >>>
Does anyone have any experience getting ldaps working w/ the JDNIRealms
Tomcat 4.1.24?  Regular LDAP is working fine, but when I change the
URL to ldaps://<ldap-host>:636 I get the following error:

2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing
javax.naming.CommunicationException: simple bind failed:
exception is Connection has been shutdown: 
No trusted certificate found]

My Realm element in server.xml:

<Realm  className="org.apache.catalina.realm.JNDIRealm" debug="99"

Like I said, this works if connectionURL="ldap://".  I can
to the LDAP server (Novell eDirectory) via SSL using a Java browser if
I accept 
the certificate, so I wonder if that might have something to do with

I've also successfully followed the Config-SSL-HOWTO, accepted the
from the server and setup the keystore for the connector as described,
but I get 
the feeling that this is strictly for enabling SSL over HTTP.

Thanks in advance.


To unsubscribe, e-mail: 
For additional commands, e-mail: 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message