You are viewing a plain text version of this content. The canonical link for it is here.
Posted to api@directory.apache.org by Karim Hosny <ka...@its.ws> on 2015/03/24 11:21:09 UTC
Problem using TLS or SSL to establish a secure binding
Hi,
I have a problem trying to create a TLS negotiation or an SSL binding with my Active Directory server running on windows 2008, although it works fine with JNDI api but the apache directory is more feasible for my case since it will include Kerberos authentication.
I use the certificate for the account I use to login with as a PKCS12 certificate, and I have the CA from the server added to the cacerts file but I get failed to initialize SSL context exception, the exception is at the end of the email.
My code:
LdapConnectionConfig config = new LdapConnectionConfig();
config.setLdapHost(SERVER);
config.setLdapPort(389);
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("C:\\bea\\jrockit_160_05\\jre\\lib\\security\\certificate.jks"), "P@ssw0rd".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keystore);
config.setTrustManagers(tmf.getTrustManagers());
config.setName("CN=testUser,CN=Users,DC=bmrk,DC=com");
config.setCredentials("P@ssw0rd");
LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(config);
ldapNetworkConnection.startTls();//the exception is thrown here
ldapNetworkConnection.bind();
Exception:
Exception in thread "Main Thread" org.apache.directory.api.ldap.model.exception.LdapException: Failed to initialize the SSL context
at org.apache.directory.ldap.client.api.LdapNetworkConnection.addSslFilter(LdapNetworkConnection.java:3839)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3788)
at LDAPConTest.testLoginToLDAPDOMAIN(LDAPConTest.java:102)
at LDAPConTest.main(LDAPConTest.java:57)
Caused by: org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreAdd(): sslFilter:SslFilter in (0x00000001: nio socket, client, /10.90.92.20:39519 => BMRKDC02.bmrk.com/10.90.92.3:389)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:383)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.addFirst(DefaultIoFilterChain.java:184)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.addSslFilter(LdapNetworkConnection.java:3832)
... 3 more
Caused by: java.lang.IllegalArgumentException: TLSv1.1
at com.sun.net.ssl.internal.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:133)
at com.sun.net.ssl.internal.ssl.ProtocolList.<init>(ProtocolList.java:38)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:1736)
at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:176)
at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:426)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:381)
... 5 more
Any ideas where the issue may come from?
Thanks,
Karim
Re: Problem using TLS or SSL to establish a secure binding
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Mar 24, 2015 at 6:21 PM, Karim Hosny <ka...@its.ws> wrote:
> Hi,
>
> I have a problem trying to create a TLS negotiation or an SSL binding with
> my Active Directory server running on windows 2008, although it works fine
> with JNDI api but the apache directory is more feasible for my case since
> it will include Kerberos authentication.
>
> I use the certificate for the account I use to login with as a PKCS12
> certificate, and I have the CA from the server added to the cacerts file
> but I get failed to initialize SSL context exception, the exception is at
> the end of the email.
>
> My code:
>
> LdapConnectionConfig config = new LdapConnectionConfig();
> config.setLdapHost(SERVER);
> config.setLdapPort(389);
> KeyStore keystore = KeyStore.getInstance("JKS");
> keystore.load(new
> FileInputStream("C:\\bea\\jrockit_160_05\\jre\\lib\\security\\certificate.jks"),
> "P@ssw0rd".toCharArray());
> TrustManagerFactory tmf =
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> tmf.init(keystore);
> config.setTrustManagers(tmf.getTrustManagers());
> config.setName("CN=testUser,CN=Users,DC=bmrk,DC=com");
> config.setCredentials("P@ssw0rd");
> LdapNetworkConnection ldapNetworkConnection = new
> LdapNetworkConnection(config);
> ldapNetworkConnection.startTls();//the exception is thrown here
> ldapNetworkConnection.bind();
>
> Exception:
> Exception in thread "Main Thread"
> org.apache.directory.api.ldap.model.exception.LdapException: Failed to
> initialize the SSL context
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.addSslFilter(LdapNetworkConnection.java:3839)
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3788)
> at LDAPConTest.testLoginToLDAPDOMAIN(LDAPConTest.java:102)
> at LDAPConTest.main(LDAPConTest.java:57)
> Caused by: org.apache.mina.core.filterchain.IoFilterLifeCycleException:
> onPreAdd(): sslFilter:SslFilter in (0x00000001: nio socket, client, /
> 10.90.92.20:39519 => BMRKDC02.bmrk.com/10.90.92.3:389)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:383)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.addFirst(DefaultIoFilterChain.java:184)
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.addSslFilter(LdapNetworkConnection.java:3832)
> ... 3 more
> Caused by: java.lang.IllegalArgumentException: TLSv1.1
>
you must be using java version <= 1.6, TLSv1.1 is available from version
1.7 and higher
so use java version >= 1.7
> at
> com.sun.net.ssl.internal.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:133)
> at
> com.sun.net.ssl.internal.ssl.ProtocolList.<init>(ProtocolList.java:38)
> at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:1736)
> at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:176)
> at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:426)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:381)
> ... 5 more
>
>
> Any ideas where the issue may come from?
>
> Thanks,
>
> Karim
>
--
Kiran Ayyagari
http://keydap.com