Sorry, I've just stumbled across the problem.
I just saw the following JVM flags set by default for glassfish domains:
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks
So, I just imported the same cacert.der file into that cacerts.jks keystore,
and all is well.
Alex Sherwin
alex.sherwin_at_acadiasoft.com
-----Original Message-----
From: Alex Sherwin [mailto:alex.sherwin_at_acadiasoft.com]
Sent: Friday, September 05, 2008 10:09 AM
To: Glassfish Users
Subject: LDAP Realm using TLS/SSL fails (but the JRE has CA cert imported)
Hello,
My glassfish v2ur2 is using jre 1.5.0_15, and I've imported the cacert.der
file generated for my OpenLDAP server into both the jssecacerts and cacerts
keystores.
If I use straight Java SE code to connect to the LDAP server over SSL, it
works fine (the OpenLDAP server is ONLY accepting TLD/SSL connections), i.e:
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://192.168.2.129:636");
env.put(Context.SECURITY_PRINCIPAL, "cn=Manager,dc=acadiasoft,dc=com");
env.put(Context.SECURITY_CREDENTIALS, "mypass");
try {
final DirContext context = new InitialDirContext(env);
final Attributes attrs =
context.getAttributes("cn=Manager,dc=acadiasoft,dc=com");
for (final NamingEnumeration<Attribute> i = (NamingEnumeration<Attribute>)
attrs.getAll(); i.hasMore();) {
final Attribute attr = (Attribute) i.next();
if (LOG.isDebugEnabled()) {
LOG.debug("Attribute [" + attr + "]");
}
}
} catch (NamingException e) {
LOG.error("Caught NamingException [" + e.getMessage() + "], Resolved Name
[" + e.getResolvedName() + "], Remaining Name [" + e.getRemainingName() +
"]", e);
}
Works fine (if I delete the CA cert from my keystores, the above code fails
as expected.. importing back in, and the above code works)
However, the glassfish server (which is using the exact same jre), fails
with the following error in the logs:
[#|2008-09-05T10:02:04.781-0400|INFO|sun-appserver9.1|javax.enterprise.syste
m.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-6081-2;alexid;|
SEC5046: Audit: Authentication refused for [alexid].|#]
[#|2008-09-05T10:02:04.781-0400|WARNING|sun-appserver9.1|javax.enterprise.sy
stem.container.web|_ThreadID=16;_ThreadName=httpSSLWorkerThread-6081-2;_Requ
estID=9edc1829-50fe-4cef-8444-a7c53b41bbc5;|Web login failed: Login failed:
javax.security.auth.login.LoginException:
javax.naming.CommunicationException: simple bind failed: 192.168.2.129:636
[Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]|#]
The configuration of the LDAP Realm is in the form ldaps://the.ip:636, and
the appropriate props for the binding dn and dn password are set.
For thoroughness, I setup OpenLDAP to listen on non-ssl connections, and the
LDAP Realm can connect fine and authenticate through the OpenLDAP server
over a non TLS/SSL connection.
Any ideas?
Alex Sherwin
alex.sherwin_at_acadiasoft.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
For additional commands, e-mail: users-help_at_glassfish.dev.java.net