Ssl – Configure JBoss AS 5 and LDAP

jbossldapssl

Basically i have an application that sits on JBoss which needs to connect to a LDAP server. (OS is Windows XP Pro)
I started the JBoss with run.bat -c all -b 192.168.1.1.

I have no problem connecting to the LDAP server without SSL. The problem only surface when the LDAP server is setup with SSL, i have trouble connecting to the LDAP server. The following is the error message.

javax.naming.CommunicationException: simple bind failed: 192.168.1.100:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]

I have google about configuring JBoss and LDAP and stumbled upon http://docs.jboss.org/jbportal/v2.6.2/referenceGuide/html/ldap.html . Do I really need a JBoss Portal to setup with LDAP??

Could anyone out there help me out with this?? Am i missing out any configuration on JBoss??

Any advice would be greatly appreciated. Many thanks in advance.

Kevin

Best Answer

I think you need to import the trusted root certificate, (possibly any intermediary certs as well) into the Java keystore that JBoss is using. (When running on Linux, only place I have run JBoss, it uses Tomcat to run JBoss in it).

I am not sure where the default Java key store would be for Tomcat. You can use keytool from any Java JDK install, and import the trusted root that way. The keystore password should be 'default' since there is nothing secret about trusted root public keys.

Sample Keytool syntax might be:

keytool -importcert -keystore Path/to/store -storepass Password (Usually default or changeit) -alias Something -file FileWithPublicKey

To get the trusted root, an easy way is if the same cert is used for an HTTP interface. But I think IE will let you try ldaps://serverIP/ and then in the icon with a lock, you can see certificate details.

There is a tab for the certification chain. The top item is the CA who signed this cert (aka the Root that we need to Trust, to make it a Trusted Root).

If all this is too much, then here is a funny trick! Get the 600K Java based LDAP browser, called LBE and delete the local file lbecacert then run the LDAP Browser, make a config for your LDAP server, with SSL enabled, and when you first connect it will get the Trusted Root, prompt you to Trust it once, always, or never. Select Always, and exit.

The newly created lbecacert file now has just the one trusted root in it. Cute eh? I use this when I am lazy and it works fine.

Now where should the Tomcat cacerts be? Well it might be sufficient in your JVM install, lib/security to either add the trusted root to the cacerts there, or else replace that file with this one (which is not the best option, since you might want some of those default trusted roots).

Related Solutions

Ssl – LDAP over SSL/TLS working for everything but login on Ubuntu

I suspect you're using "ldaps://server/" for your URI when you need something like "ldaps://server:636/".

Without specifying the port, its going to try TLS over port 389.

Https root webapp in jboss 5 through apache mod_proxy with ajp

If everything is on the same server, all you need to do is set up SSL in Apache - you make sure mod_ssl is installed and pretty much use the default config style to make it run. The Apache <=> JBoss communication will happen internally on the same server as usual and be unencrypted.

Given a standard linux (CentOS, e.g.) box with the mod_ssl package installed:

# SSL Basics
LoadModule ssl_module modules/mod_ssl.so
Listen 443
NameVirtualHost *:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
  ...config stuff...
  ServerName intranet.mycompany.com
  ProxyPreserveHost On
  ProxyPass / balancer://jbosscluster/
  ProxyPassReverse / http://127.0.0.1:8080

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /path/to/server.pem
  SSLCertificateKeyFile /path/to/server.pem

  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
  </Files>

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  ...more config stuff...
</VirtualHost>

The file server.pem contains both the unencrypted server key and the server cert returned from the upstream authority.

/usr/bin/openssl genrsa -des3 1024 > server.key.encrypted
/usr/bin/openssl rsa -in server.key.encrypted -out server.key

/usr/bin/openssl req -new -key server.key -out server.csr

cat server.key > server.pem
cat server.crt >> server.pem

That's the basic idea -- server.crt is the file given back to you from Thawte, etc. after you gave them the server.csr file (and money).

Best Answer

Related Solutions

Ssl – LDAP over SSL/TLS working for everything but login on Ubuntu

Https root webapp in jboss 5 through apache mod_proxy with ajp

Related Topic