You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2016/04/03 18:41:25 UTC
[jira] [Updated] (QPID-7160) No X509TrustManager implementation
available when using truststore captured by SiteSpecificTrustStore
[ https://issues.apache.org/jira/browse/QPID-7160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall updated QPID-7160:
-----------------------------
Status: Reviewable (was: In Progress)
> No X509TrustManager implementation available when using truststore captured by SiteSpecificTrustStore
> -----------------------------------------------------------------------------------------------------
>
> Key: QPID-7160
> URL: https://issues.apache.org/jira/browse/QPID-7160
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: qpid-java-6.0, qpid-java-6.0.1
> Reporter: Keith Wall
> Assignee: Keith Wall
> Priority: Minor
> Fix For: qpid-java-6.1
>
>
> I am testing the Java Broker with ApacheDS as an authentication provider. I find secure connections to the Directory secured with a self signed certificate fail if the truststore was captured using {{SiteSpecificTrustStore}}. If I upload the truststore as a PEM, the exception does not occur.
> Keystore for ApacheDS was generated like so:
> {{keytool -genkey -keyalg RSA -alias selfsigned -keystore apacheds.jks -storepass password -validity 360 -keysize 2048}}
> Truststore captured by pointing SiteSpecificTrustStore at https://localhost:10636
> Alternative approach (that works), export the PEM from the ApacheDS UI, then import into Java Broker as NonJavaTrustStore.
> {noformat}
> 2016-03-23 22:49:14,464 WARN [HttpManagement-myhttps-150] (o.a.q.s.s.a.m.SimpleLDAPAuthenticationManagerImpl) - SASL Authentication Exception
> javax.naming.CommunicationException: simple bind failed: Oslo.local:10636
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) ~[na:1.8.0_45]
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) ~[na:1.8.0_45]
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[na:1.8.0_45]
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[na:1.8.0_45]
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[na:1.8.0_45]
> at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[na:1.8.0_45]
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[na:1.8.0_45]
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[na:1.8.0_45]
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[na:1.8.0_45]
> at javax.naming.InitialContext.init(InitialContext.java:244) ~[na:1.8.0_45]
> at javax.naming.InitialContext.<init>(InitialContext.java:216) ~[na:1.8.0_45]
> at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) ~[na:1.8.0_45]
> at org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.createInitialDirContext(SimpleLDAPAuthenticationManagerImpl.java:344) ~[classes/:na]
> at org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.getNameFromId(SimpleLDAPAuthenticationManagerImpl.java:491) ~[classes/:na]
> at org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.access$100(SimpleLDAPAuthenticationManagerImpl.java:72) ~[classes/:na]
> at org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl$SimpleLDAPPlainCallbackHandler.handle(SimpleLDAPAuthenticationManagerImpl.java:448) ~[classes/:na]
> at org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:83) [classes/:na]
> at org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.evaluateSaslResponse(SaslServlet.java:217) [classes/:na]
> at org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.doPostWithSubjectAndActor(SaslServlet.java:135) [classes/:na]
> at org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:118) [classes/:na]
> at org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:114) [classes/:na]
> at java.security.AccessController.doPrivileged(Native Method) [na:1.8.0_45]
> at javax.security.auth.Subject.doAs(Subject.java:422) [na:1.8.0_45]
> at org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doWithSubjectAndActor(AbstractServlet.java:215) [classes/:na]
> at org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doPost(AbstractServlet.java:112) [classes/:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) [geronimo-servlet_3.0_spec-1.0.jar:1.0]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:668) [geronimo-servlet_3.0_spec-1.0.jar:1.0]
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1496) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.apache.qpid.server.management.plugin.filter.ForbiddingAuthorisationFilter.doFilter(ForbiddingAuthorisationFilter.java:90) [classes/:na]
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.apache.qpid.server.management.plugin.filter.ForbiddingTraceFilter.doFilter(ForbiddingTraceFilter.java:65) [classes/:na]
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.apache.qpid.server.management.plugin.filter.LoggingFilter.doFilter(LoggingFilter.java:70) [classes/:na]
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter.doFilter(ExceptionHandlingFilter.java:56) [classes/:na]
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.Server.handle(Server.java:370) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865) [jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) [jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) [jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) [jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) [jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) [jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) [jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
> Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_45]
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) ~[na:1.8.0_45]
> at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:916) ~[na:1.8.0_45]
> at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[na:1.8.0_45]
> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) ~[na:1.8.0_45]
> at java.io.BufferedInputStream.read1(BufferedInputStream.java:286) ~[na:1.8.0_45]
> at java.io.BufferedInputStream.read(BufferedInputStream.java:345) ~[na:1.8.0_45]
> at com.sun.jndi.ldap.Connection.run(Connection.java:851) ~[na:1.8.0_45]
> ... 1 common frames omitted
> Caused by: java.security.cert.CertificateException: No X509TrustManager implementation available
> at sun.security.ssl.DummyX509TrustManager.checkServerTrusted(SSLContextImpl.java:1119) ~[na:1.8.0_45]
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) ~[na:1.8.0_45]
> ... 12 common frames omitted
> {noformat}
> config.json snippet:
> {noformat}
> "authenticationproviders" : [ {
> "id" : "fba490fc-3329-4a2d-90db-4add4e050ba3",
> "name" : "myldap",
> "type" : "SimpleLDAP",
> "bindWithoutSearch" : false,
> "providerAuthUrl" : "ldaps://Oslo.local:10636",
> "providerUrl" : "ldaps://Oslo.local:10636",
> "searchContext" : "ou=people,o=sevenSeas",
> "searchFilter" : "(uid={0})",
> "searchPassword" : "secret",
> "searchUsername" : "uid=admin,ou=system ",
> "trustStore" : "apacheds_sniff",
> "lastUpdatedBy" : "admin",
> "lastUpdatedTime" : 1458773319290,
> "createdBy" : null,
> "createdTime" : 0
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org