You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kyle Shattuck <ky...@montcalm.edu> on 2013/08/02 13:33:17 UTC
Cert
Hello,
I am using Tomcat 7 on a windows server 2012 build for this: https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method
I don't think SSL is not working correctly because every time I try to authenticate over LDAPS it does not work.
I created a .csr and a .jks using the java keytool. I got a cert using my .csr file from digicert by downloading it to a .p7b file. I imported the .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the same cert but in a .pem file and imported the file to my %jave_home5\jre\lib\security\cacerts.
Did I miss something here, do you need any other info?
Thank you,
Kyle
Re: Cert
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Aug 2, 2013, at 9:23 AM, Kyle Shattuck <ky...@montcalm.edu> wrote:
> My Server( CAS) is using SSL and the LDAP(DC) server uses SSL. So when I try to authenticate through my CAS server to DC over LDAPS it does not work. When I look at the logs of the "Applications and Services Logs" -->"Directory Service" is says-->
> Information ActiveDirectory_DomainService 1535 LDAP Interface:
> Internal event: The LDAP server returned an error.
>
> Additional Data
> Error value:
> 00000003: LdapErr: DSID-0C060463, comment: Error decrypting ldap message, data 0, v1db1
Sorry for being slow here. I'm just not quite sure how this is related to Tomcat. It seems like an application or JVM configuration issue.
A couple more questions for you.
- What log are you pulling this from? Is this from your LDAP server, an application log or a Tomcat log?
- How are you configuring your application to connect to your LDAP server? Is this with a <Resource /> tag in Tomcat? or is this done in application configuration? Can you include this config for us, minus passwords?
- Does your LDAP server have a certificate from a trusted certificate authority? Is this what you were talking about when you mentioned creating a keystore with a certificate from digicert in your original email? Or is the LDAP Server's certificate self signed?
Dan
>
> Tomcat version:apache-tomcat-7.0.42
>
> -----Original Message-----
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
> Sent: Friday, August 02, 2013 8:59 AM
> To: Tomcat Users List
> Subject: Re: Cert
>
> On Aug 2, 2013, at 7:33 AM, Kyle Shattuck <ky...@montcalm.edu> wrote:
>
>> Hello,
>> I am using Tomcat 7 on a windows server 2012 build for this: https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method
>>
>> I don't think SSL is not working correctly because every time I try to authenticate over LDAPS it does not work.
>
> What part of this doesn't work? Connecting via SSL or authentication via LDAP? They are two different things.
>
> Can you connect to your server via HTTPS and access a static resource like an HTML page or image file? If not, what happens when you try to connect?
>
>>
>> I created a .csr and a .jks using the java keytool. I got a cert using my .csr file from digicert by downloading it to a .p7b file. I imported the .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the same cert but in a .pem file and imported the file to my %jave_home5\jre\lib\security\cacerts.
>>
>> Did I miss something here, do you need any other info?
>
> - What is the specific version of Tomcat that you are using?
> - Do you see any errors in the log?
> - Include your server.xml, minus comments and minus any sensitive info like passwords
>
> Dan
>
>>
>> Thank you,
>> Kyle
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> <server.xml>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Cert
Posted by Kyle Shattuck <ky...@montcalm.edu>.
We don't necessarily have a LDAP admin, so I need more details on how to execute this. I read the IBM site you provided and am not sure how to start.
Our OS are Windows, they are talking about " Tivoli Access Manager LDAP server"
Thank you for all the information!
-----Original Message-----
From: Martin Gainty [mailto:mgainty@hotmail.com]
Sent: Friday, August 02, 2013 10:06 AM
To: Tomcat Users List
Subject: RE: Cert
Kyle
the ldap server requires the LDAP Attributes contained within the p7b
dn: cn=username,o=organization,c=country
objectclass:inetorgperson
objectclass:organizationalPerson
cn: username
sn: surname
your LDAP admin has 2 options:
1)enter each one manually from the attributes enumerated from the cert
2) import your DER formatted certificate into LDAP (and let the import utility auto-populate the LDAP attributes) for example 2a)Cisco LDAP Server http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x_chapter_0111.html
2b)IBM LDAP Server
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itamfbi.doc_5.1%2FADM51mst160.htm
it looks like we will need to engage the LDAP admin to take this any further..can you cc him?
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
From: kyles@montcalm.edu
To: users@tomcat.apache.org
Subject: RE: Cert
Date: Fri, 2 Aug 2013 13:23:12 +0000
My Server( CAS) is using SSL and the LDAP(DC) server uses SSL. So when I try to authenticate through my CAS server to DC over LDAPS it does not work. When I look at the logs of the "Applications and Services Logs" -->"Directory Service" is says-->
Information ActiveDirectory_DomainService 1535 LDAP Interface:
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00000003: LdapErr: DSID-0C060463, comment: Error decrypting ldap message, data 0, v1db1
Tomcat version:apache-tomcat-7.0.42
-----Original Message-----
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
Sent: Friday, August 02, 2013 8:59 AM
To: Tomcat Users List
Subject: Re: Cert
On Aug 2, 2013, at 7:33 AM, Kyle Shattuck <ky...@montcalm.edu> wrote:
> Hello,
> I am using Tomcat 7 on a windows server 2012 build for this:
> https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Lo
> cally+using+the+Maven2+WAR+Overlay+Method
>
> I don't think SSL is not working correctly because every time I try to authenticate over LDAPS it does not work.
What part of this doesn't work? Connecting via SSL or authentication via LDAP? They are two different things.
Can you connect to your server via HTTPS and access a static resource like an HTML page or image file? If not, what happens when you try to connect?
>
> I created a .csr and a .jks using the java keytool. I got a cert using my .csr file from digicert by downloading it to a .p7b file. I imported the .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the same cert but in a .pem file and imported the file to my %jave_home5\jre\lib\security\cacerts.
>
> Did I miss something here, do you need any other info?
- What is the specific version of Tomcat that you are using?
- Do you see any errors in the log?
- Include your server.xml, minus comments and minus any sensitive info like passwords
Dan
>
> Thank you,
> Kyle
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Cert
Posted by Martin Gainty <mg...@hotmail.com>.
Kyle
the ldap server requires the LDAP Attributes contained within the p7b
dn: cn=username,o=organization,c=country
objectclass:inetorgperson
objectclass:organizationalPerson
cn: username
sn: surname
your LDAP admin has 2 options:
1)enter each one manually from the attributes enumerated from the cert
2) import your DER formatted certificate into LDAP (and let the import utility auto-populate the LDAP attributes) for example
2a)Cisco LDAP Server
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x_chapter_0111.html
2b)IBM LDAP Server
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itamfbi.doc_5.1%2FADM51mst160.htm
it looks like we will need to engage the LDAP admin to take this any further..can you cc him?
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
From: kyles@montcalm.edu
To: users@tomcat.apache.org
Subject: RE: Cert
Date: Fri, 2 Aug 2013 13:23:12 +0000
My Server( CAS) is using SSL and the LDAP(DC) server uses SSL. So when I try to authenticate through my CAS server to DC over LDAPS it does not work. When I look at the logs of the "Applications and Services Logs" -->"Directory Service" is says-->
Information ActiveDirectory_DomainService 1535 LDAP Interface:
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00000003: LdapErr: DSID-0C060463, comment: Error decrypting ldap message, data 0, v1db1
Tomcat version:apache-tomcat-7.0.42
-----Original Message-----
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
Sent: Friday, August 02, 2013 8:59 AM
To: Tomcat Users List
Subject: Re: Cert
On Aug 2, 2013, at 7:33 AM, Kyle Shattuck <ky...@montcalm.edu> wrote:
> Hello,
> I am using Tomcat 7 on a windows server 2012 build for this: https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method
>
> I don't think SSL is not working correctly because every time I try to authenticate over LDAPS it does not work.
What part of this doesn't work? Connecting via SSL or authentication via LDAP? They are two different things.
Can you connect to your server via HTTPS and access a static resource like an HTML page or image file? If not, what happens when you try to connect?
>
> I created a .csr and a .jks using the java keytool. I got a cert using my .csr file from digicert by downloading it to a .p7b file. I imported the .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the same cert but in a .pem file and imported the file to my %jave_home5\jre\lib\security\cacerts.
>
> Did I miss something here, do you need any other info?
- What is the specific version of Tomcat that you are using?
- Do you see any errors in the log?
- Include your server.xml, minus comments and minus any sensitive info like passwords
Dan
>
> Thank you,
> Kyle
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Cert
Posted by Kyle Shattuck <ky...@montcalm.edu>.
My Server( CAS) is using SSL and the LDAP(DC) server uses SSL. So when I try to authenticate through my CAS server to DC over LDAPS it does not work. When I look at the logs of the "Applications and Services Logs" -->"Directory Service" is says-->
Information ActiveDirectory_DomainService 1535 LDAP Interface:
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00000003: LdapErr: DSID-0C060463, comment: Error decrypting ldap message, data 0, v1db1
Tomcat version:apache-tomcat-7.0.42
-----Original Message-----
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
Sent: Friday, August 02, 2013 8:59 AM
To: Tomcat Users List
Subject: Re: Cert
On Aug 2, 2013, at 7:33 AM, Kyle Shattuck <ky...@montcalm.edu> wrote:
> Hello,
> I am using Tomcat 7 on a windows server 2012 build for this: https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method
>
> I don't think SSL is not working correctly because every time I try to authenticate over LDAPS it does not work.
What part of this doesn't work? Connecting via SSL or authentication via LDAP? They are two different things.
Can you connect to your server via HTTPS and access a static resource like an HTML page or image file? If not, what happens when you try to connect?
>
> I created a .csr and a .jks using the java keytool. I got a cert using my .csr file from digicert by downloading it to a .p7b file. I imported the .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the same cert but in a .pem file and imported the file to my %jave_home5\jre\lib\security\cacerts.
>
> Did I miss something here, do you need any other info?
- What is the specific version of Tomcat that you are using?
- Do you see any errors in the log?
- Include your server.xml, minus comments and minus any sensitive info like passwords
Dan
>
> Thank you,
> Kyle
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Cert
Posted by Martin Gainty <mg...@hotmail.com>.
Daniel
...he hasn't imported his DER typed certificate into the LDAP Server yet..
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Subject: Re: Cert
> From: dmikusa@gopivotal.com
> Date: Fri, 2 Aug 2013 08:58:12 -0400
> To: users@tomcat.apache.org
>
> On Aug 2, 2013, at 7:33 AM, Kyle Shattuck <ky...@montcalm.edu> wrote:
>
> > Hello,
> > I am using Tomcat 7 on a windows server 2012 build for this: https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method
> >
> > I don't think SSL is not working correctly because every time I try to authenticate over LDAPS it does not work.
>
> What part of this doesn't work? Connecting via SSL or authentication via LDAP? They are two different things.
>
> Can you connect to your server via HTTPS and access a static resource like an HTML page or image file? If not, what happens when you try to connect?
>
> >
> > I created a .csr and a .jks using the java keytool. I got a cert using my .csr file from digicert by downloading it to a .p7b file. I imported the .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the same cert but in a .pem file and imported the file to my %jave_home5\jre\lib\security\cacerts.
> >
> > Did I miss something here, do you need any other info?
>
> - What is the specific version of Tomcat that you are using?
> - Do you see any errors in the log?
> - Include your server.xml, minus comments and minus any sensitive info like passwords
>
> Dan
>
> >
> > Thank you,
> > Kyle
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Cert
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Aug 2, 2013, at 7:33 AM, Kyle Shattuck <ky...@montcalm.edu> wrote:
> Hello,
> I am using Tomcat 7 on a windows server 2012 build for this: https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method
>
> I don't think SSL is not working correctly because every time I try to authenticate over LDAPS it does not work.
What part of this doesn't work? Connecting via SSL or authentication via LDAP? They are two different things.
Can you connect to your server via HTTPS and access a static resource like an HTML page or image file? If not, what happens when you try to connect?
>
> I created a .csr and a .jks using the java keytool. I got a cert using my .csr file from digicert by downloading it to a .p7b file. I imported the .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the same cert but in a .pem file and imported the file to my %jave_home5\jre\lib\security\cacerts.
>
> Did I miss something here, do you need any other info?
- What is the specific version of Tomcat that you are using?
- Do you see any errors in the log?
- Include your server.xml, minus comments and minus any sensitive info like passwords
Dan
>
> Thank you,
> Kyle
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org