From users-return-242971-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Fri Aug 2 14:05:46 2013 Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CEDB3105A1 for ; Fri, 2 Aug 2013 14:05:46 +0000 (UTC) Received: (qmail 67365 invoked by uid 500); 2 Aug 2013 14:05:43 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 67195 invoked by uid 500); 2 Aug 2013 14:05:42 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 67186 invoked by uid 99); 2 Aug 2013 14:05:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Aug 2013 14:05:42 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mgainty@hotmail.com designates 65.55.111.105 as permitted sender) Received: from [65.55.111.105] (HELO blu0-omc2-s30.blu0.hotmail.com) (65.55.111.105) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Aug 2013 14:05:37 +0000 Received: from BLU172-W48 ([65.55.111.73]) by blu0-omc2-s30.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 2 Aug 2013 07:05:16 -0700 X-TMN: [9wdh9umFr/QeB7/g3niNbvL/1NUsLhNg] X-Originating-Email: [mgainty@hotmail.com] Message-ID: Content-Type: multipart/alternative; boundary="_e18cf336-f3a9-4c1f-8b0b-1fc3e86307f1_" From: Martin Gainty To: Tomcat Users List Subject: RE: Cert Date: Fri, 2 Aug 2013 10:05:16 -0400 Importance: Normal In-Reply-To: <0AE1FE838ECFB54C9B2D86139623AFEBFCDCECAB@mccexch01.ad.montcalm.edu> References: <0AE1FE838ECFB54C9B2D86139623AFEBFCDCEB1F@mccexch01.ad.montcalm.edu>,<43D4B2DC-BF2B-4C7A-873D-BE5E28A921B4@gopivotal.com>,<0AE1FE838ECFB54C9B2D86139623AFEBFCDCECAB@mccexch01.ad.montcalm.edu> MIME-Version: 1.0 X-OriginalArrivalTime: 02 Aug 2013 14:05:16.0505 (UTC) FILETIME=[508D4490:01CE8F89] X-Virus-Checked: Checked by ClamAV on apache.org --_e18cf336-f3a9-4c1f-8b0b-1fc3e86307f1_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Kyle =20 the ldap server requires the LDAP Attributes contained within the p7b dn: cn=3Dusername=2Co=3Dorganization=2Cc=3Dcountry objectclass:inetorgperson objectclass:organizationalPerson cn: username sn: surname your LDAP admin has 2 options: 1)enter each one manually from the attributes enumerated from the cert=20 2) import your DER formatted certificate into LDAP (and let the import util= ity auto-populate the LDAP attributes) for example 2a)Cisco LDAP Server http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/c= onfiguration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__R= elease_6.x_chapter_0111.html 2b)IBM LDAP Server http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=3D%2Fcom.ib= m.itamfbi.doc_5.1%2FADM51mst160.htm it looks like we will need to engage the LDAP admin to take this any furthe= r..can you cc him? Martin=20 ______________________________________________=20 Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de confidentialit= =E9 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaeng= er sein=2C so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiter= leitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient l= ediglich dem Austausch von Informationen und entfaltet keine rechtliche Bin= dungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen w= ir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes= pas le destinataire pr=E9vu=2C nous te demandons avec bont=E9 que pour sat= isfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e= ou la copie de ceci est interdite. Ce message sert =E0 l'information seule= ment et n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant d= onn=E9 que les email peuvent facilement =EAtre sujets =E0 la manipulation= =2C nous ne pouvons accepter aucune responsabilit=E9 pour le contenu fourni= . =20 From: kyles@montcalm.edu To: users@tomcat.apache.org Subject: RE: Cert Date: Fri=2C 2 Aug 2013 13:23:12 +0000 My Server( CAS) is using SSL and the LDAP(DC) server uses SSL. So when I tr= y to authenticate through my CAS server to DC over LDAPS it does not work. = When I look at the logs of the "Applications and Services Logs" -->"Directo= ry Service" is says--> Information ActiveDirectory_DomainService 1535 LDAP Interface: Internal event: The LDAP server returned an error.=20 =20 Additional Data=20 Error value: 00000003: LdapErr: DSID-0C060463=2C comment: Error decrypting ldap message= =2C data 0=2C v1db1 =20 Tomcat version:apache-tomcat-7.0.42 =20 -----Original Message----- From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]=20 Sent: Friday=2C August 02=2C 2013 8:59 AM To: Tomcat Users List Subject: Re: Cert =20 On Aug 2=2C 2013=2C at 7:33 AM=2C Kyle Shattuck wrote: =20 > Hello=2C > I am using Tomcat 7 on a windows server 2012 build for this: https://wiki= .jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+M= aven2+WAR+Overlay+Method >=20 > I don't think SSL is not working correctly because every time I try to au= thenticate over LDAPS it does not work. =20 What part of this doesn't work? Connecting via SSL or authentication via L= DAP? They are two different things. =20 Can you connect to your server via HTTPS and access a static resource like = an HTML page or image file? If not=2C what happens when you try to connect= ? =20 >=20 > I created a .csr and a .jks using the java keytool. I got a cert using my= .csr file from digicert by downloading it to a .p7b file. I imported the .= p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicer= t the same cert but in a .pem file and imported the file to my %jave_home5\= jre\lib\security\cacerts. >=20 > Did I miss something here=2C do you need any other info? =20 - What is the specific version of Tomcat that you are using? - Do you see any errors in the log? - Include your server.xml=2C minus comments and minus any sensitive info l= ike passwords =20 Dan =20 >=20 > Thank you=2C > Kyle >=20 =20 =20 --------------------------------------------------------------------- To unsubscribe=2C e-mail: users-unsubscribe@tomcat.apache.org For additional commands=2C e-mail: users-help@tomcat.apache.org =20 =20 ---------------------------------------------------------------------=0A= To unsubscribe=2C e-mail: users-unsubscribe@tomcat.apache.org=0A= For additional commands=2C e-mail: users-help@tomcat.apache.org = --_e18cf336-f3a9-4c1f-8b0b-1fc3e86307f1_--