[Date Prev] [Date Next] [Prev in Thread] [Next in Thread] [Date Index] [Thread Index]

Re: SSL for LDAP



If you are using a Java Keystore, they are very explicit about what the key chain is and where the certificates are stored. 

Generally you import the Root and Intermediate certs into the common Java Keystore (cacerts) that the system is referencing, then you add the Server certificate to your custom Keystore - however if you have multiple versions of Java installed you need to identify the system default Java and Keystore (which may end up in trial and error). 

Windows is more "forgiving" on certificates than Java is and only has one store (with multiple sections), where Java can have multiple stores which will be based on what Java runtime your actual application is using e.g. could be a JVM or a JDK (and you may have multiple versions of each installed).


For the Certificate:


I would recommend that you have an Administrator for the Active Directory Server export the certificate using Cert Manager and for them to include all certificates in the Chain (checkbox option in export) to a "*.p7b" file (certificate zip file containing all certs in the chain i.e. Root, Intermediate and Server certificates). 



Open the Certificate file (Server Certificate) and export to p7b by selecting Details > Copy to File.. > Cryptographic Message .. (.P7B) - Check "Include all certificates in the certification path if possible" > Filename


You will end up with a "*.p7b" file that when opened look like a file structure inside which includes all 3 certificates (Root, Intermediate and Server).


For the import to your custom Keystore:


Then import this "chained certificate" p7b file into your custom Keystore.


That way you end up with all 3 required certificates in the keystore - these will be "linked" as you have exported them in a "chain" and not individually.


When you reference this Keystore, you will not need to worry about any other "system" based Java cacerts stores as all certificates are in the one place an available.




Kind Regards,


Carl Wilson



From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Fawver, Dustin
Sent: 10 November 2016 00:19
To: arslist@ARSLIST.ORG
Subject: SSL for LDAP





I have been trying to get AREA to use LDAP over SSL now.  I followed the instructions over at https://docs.bmc.com/docs/display/public/brid91/Enabling+LDAP+plug-ins+for+SSL+connections+post-installation.  The systems administrator instructed me some time ago to go to one of our servers and export the security certificate from within Firefox.  I did that and used keytool to create the store.  I am getting the error message below.


<PLUGINSVR> <TNAME: pool-4-thread-3          > <ERROR> <ARPluginContext                                   > <                              ARPluginContext.java:176       > /* Wed Nov 09 2016 07:12:12.805 */  <AREA.LDAP>Ldap Authentication failed!javax.naming.CommunicationException: simple bind failed: jcdc1.etsu.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]


Looking at the certificate chain, I saw that there was a GeoTrust CA cert and a GeoTrust SHA cert.  I exported those from the same server and added those to the trust store.  While searching for a solution, I found some people would add the certs to the primary Java cacerts store located in /jre/lib/security/.  I did that as well and specified the path for the primary cacerts store in the AREA LDAP configuration screen.  I am still receiving the error message.


Is there something else that I'm missing?  If I need to ask something else from the systems administrator, please let me know what to ask for.


Thanks in advance for your help!


--Dustin Fawver


HelpDesk Technician

East Tennessee State University

_ARSlist: "Where the Answers Are" and have been for 20 years_

_ARSlist: "Where the Answers Are" and have been for 20 years_