users@glassfish.java.net

LDAP Realm using TLS/SSL fails (but the JRE has CA cert imported)

From: Alex Sherwin <alex.sherwin_at_acadiasoft.com>
Date: Fri, 5 Sep 2008 10:08:44 -0400

Hello,

My glassfish v2ur2 is using jre 1.5.0_15, and I've imported the cacert.der
file generated for my OpenLDAP server into both the jssecacerts and cacerts
keystores.

If I use straight Java SE code to connect to the LDAP server over SSL, it
works fine (the OpenLDAP server is ONLY accepting TLD/SSL connections), i.e:

Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://192.168.2.129:636");
env.put(Context.SECURITY_PRINCIPAL, "cn=Manager,dc=acadiasoft,dc=com");
env.put(Context.SECURITY_CREDENTIALS, "mypass");
try {
  final DirContext context = new InitialDirContext(env);
  final Attributes attrs =
context.getAttributes("cn=Manager,dc=acadiasoft,dc=com");
  for (final NamingEnumeration<Attribute> i = (NamingEnumeration<Attribute>)
attrs.getAll(); i.hasMore();) {
    final Attribute attr = (Attribute) i.next();

    if (LOG.isDebugEnabled()) {
      LOG.debug("Attribute [" + attr + "]");
    }
  }
} catch (NamingException e) {
  LOG.error("Caught NamingException [" + e.getMessage() + "], Resolved Name
[" + e.getResolvedName() + "], Remaining Name [" + e.getRemainingName() +
"]", e);
}

Works fine (if I delete the CA cert from my keystores, the above code fails
as expected.. importing back in, and the above code works)

However, the glassfish server (which is using the exact same jre), fails
with the following error in the logs:

[#|2008-09-05T10:02:04.781-0400|INFO|sun-appserver9.1|javax.enterprise.syste
m.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-6081-2;alexid;|
SEC5046: Audit: Authentication refused for [alexid].|#]

[#|2008-09-05T10:02:04.781-0400|WARNING|sun-appserver9.1|javax.enterprise.sy
stem.container.web|_ThreadID=16;_ThreadName=httpSSLWorkerThread-6081-2;_Requ
estID=9edc1829-50fe-4cef-8444-a7c53b41bbc5;|Web login failed: Login failed:
javax.security.auth.login.LoginException:
javax.naming.CommunicationException: simple bind failed: 192.168.2.129:636
[Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]|#]

The configuration of the LDAP Realm is in the form ldaps://the.ip:636, and
the appropriate props for the binding dn and dn password are set.

For thoroughness, I setup OpenLDAP to listen on non-ssl connections, and the
LDAP Realm can connect fine and authenticate through the OpenLDAP server
over a non TLS/SSL connection.

Any ideas?

Alex Sherwin
alex.sherwin_at_acadiasoft.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.