You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by pr...@BIRLASOFT.COM on 2008/02/22 18:15:38 UTC
FW: Certification Issue in production Tomcat server...
Hello Folks,
I am getting the security certification problem in a J2EE based
application which is running on our production Tomcat server. The Web
applications main functionality is to update user's details in
Authentication Directory and reset users password, and we are getting
error while resetting password. The application uses SSL communication
while resetting password in AD and the rest of the things are done
through non-SSL communication.
NOTE: Our application is based on Struts framework
JVM: j2re1.4.1_06
Tomcat: Tomcat 4.1
Windows: Windows 2000 SP4
Following are the error summary which I got after resetting user portal
password. Please have a look into this.
20 Feb 2008 17:34:27,130 DEBUG : java.naming.factory.initial =
com.sun.jndi.ldap.LdapCtxFactory
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG : com.sunchemical.ldap.ads.port = 636
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG :
com.sunchemical.ldap.ads.security.principal = SelfRegAdmin@sunchem.com
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG : java.naming.security.principal =
SelfRegAdmin@sunchem.com
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG :
com.sunchemical.ldap.ads.security.credentials = ****
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG : java.naming.provider.url =
ldap://10.156.34.140:636/dc=sunchem,dc=com
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG :
com.sunchemical.ldap.ads.security.authentication = simple
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG : com.sunchemical.ldap.ads.host =
10.156.34.140
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG : com.sunchemical.ldap.ads.base.dn =
dc=sunchem,dc=com
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG : java.naming.security.protocol = ssl
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG :
com.sunchemical.ldap.ads.security.protocol = ssl
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,130 DEBUG : java.naming.security.credentials =
****
[com.sunchemical.ldapapi.LDAPConnection]
20 Feb 2008 17:34:27,146 ERROR : Error in invoker.execute()
[com.sunchemical.ldapapi.LDAPActionInvoker]
javax.naming.CommunicationException: simple bind failed:
10.156.34.140:636. Root exception is
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Could not find trusted
certificate
at
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69)
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
at
com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390)
at
com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
at
com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:193)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2597)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:275)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:173)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:191)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:
136)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:6
6)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at
javax.naming.InitialContext.<init>(InitialContext.java:195)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:8
0)
at
com.sunchemical.ldapapi.LDAPConnection.createContext(Unknown Source)
at com.sunchemical.ldapapi.LDAPActionInvoker.execute(Unknown
Source)
at
com.sunchemical.admanagement.struts.controller.user.ResetUserPasswordAct
ion.execute(ResetUserPasswordAction.java:61)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestPr
ocessor.java:484)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:
274)
at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:193)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:256)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
80)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:191)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
80)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:241
5)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:180)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa
lve.java:171)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:172)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
80)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:174)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
80)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:59
4)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
onnection(Http11Protocol.java:392)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:56
5)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:619)
at java.lang.Thread.run(Thread.java:536)
Caused by: java.security.cert.CertificateException: Could not find
trusted certificate
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Das
hoA6275)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Das
hoA6275)
... 61 more
20 Feb 2008 17:34:27,161 ERROR : Error while resetting the user's
password.
Is this something JVM error, because sometime back we got the same
error, and was fixed after installing the certificate on the same
server. But after around 15 days it happens again.
Please provide some valuable idea to get rid of this error, let me know
if you need anymore details with regards to this.
Thanks & Regards,
Pranab Das
Software Engineer | Birlasoft Ltd. | +91 (0) 9810509123 |
pranab.das@BIRLASOFT.COM | www.birlasoft.com <http://www.birlasoft.com>
***********************
No virus was detected in the attachment no filename
No virus was detected in the attachment no filename
Your mail has been scanned by InterScan.
***********-***********
*********************************************************************************************************************************************************************
"This message and any attachments are solely for the intended recipient and may contain Birlasoft confidential or privileged information. If you are not the intended recipient,any disclosure,copying, use, or distribution of the information included in this message and any attachments is
prohibited. If you have received this communication in error, please notify us by reply e-mail at (administrator@birlasoft.com) and permanently delete this message and any attachments. Thank you."
*********************************************************************************************************************************************************************
Re: FW: Certification Issue in production Tomcat server...
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pranab,
pranab.das@BIRLASOFT.COM wrote:
| I am getting the security certification problem in a J2EE based
| application which is running on our production Tomcat server [while
attempting to contact LDAP server over SSL].
[snip]
| Caused by: java.security.cert.CertificateException: Could not find
| trusted certificate
|
| at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
It may be that the internal checking code for Java has changed since I
last encountered it, or you may be using JCE or something like that, but
you used to be able to run code similar to the following to disable cert
checking. I have this in a CVS repository that sometimes has to connect
to servers with self-signed SSL certs:
"
This code was written and tested on JDK 1.4.2_09.
You need to execute this code before you attempt to make an SSL connection.
~ import java.security.KeyManagementException;
~ import java.security.NoSuchAlgorithmException;
~ import javax.net.ssl.SSLContext;
~ import javax.net.ssl.TrustManager;
~ import javax.net.ssl.X509TrustManager;
~ import javax.net.ssl.HttpsURLConnection;
~ public static void disableSSLCertificateChecking()
~ {
~ TrustManager[] trustAllCerts = new TrustManager[] {
~ new X509TrustManager() {
~ public X509Certificate[] getAcceptedIssuers() {
~ return null;
~ }
~ public void checkClientTrusted(X509Certificate[] certs,
~ String authType) {
~ }
~ public void checkServerTrusted(X509Certificate[] certs,
~ String authType) {
~ }
~ }
~ };
~ try
~ {
~ SSLContext sc = SSLContext.getInstance("SSL");
~ sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
~ }
~ catch (KeyManagementException kme)
~ {
~ kme.printStackTrace();
~ }
~ catch (NoSuchAlgorithmException nsae)
~ {
~ nsae.printStackTrace();
~ }
~ }
If you have access to the individial HttpURLConnection objects that will
be used to make SSL connections, you can disable them on a per-instance
basis by using HttpURLConnection.setSocketFactory(sc.getSocketFactory())
instead of using HttpURLConnection.setDefaultSSLSocketFactory and
changing the socket factory globally.
"
I hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAke/C8MACgkQ9CaO5/Lv0PByyACfTbdWkk20hU/gE6ny9yTfsPZw
uIgAoIugkSSp/WElPDOxFhJl6lBTD0EV
=Ozrr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org