You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by rakesh meka <ra...@gmail.com> on 2022/09/18 03:02:36 UTC
HOW TO ENABLE LDAPS ON TOMCAT 8.5
Hi All ,
Greetings for the day! Hope you are doing Great .
Currently of the application is deplye Don the tomcat 8.5 uses LDAP
protocol for AD authentication of sap users. I need to change the LDAP to
LDAPS. So I installed domain certificate using keytool. But when i change
the port number to 636 I see an error saying LDAP Connection has been
closed.
I need your help to how to enable the process for enabling/Changing LDAPS.
Do I need to import the LDAP certificate to the tomcat truststore and then
import certificate to keystore ?
Thanks in Advance,
Meka Rakesh.
AW: HOW TO ENABLE LDAPS ON TOMCAT 8.5
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Short correction:
The URL is of course ldaps (not https)
> -----Ursprüngliche Nachricht-----
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.INVALID>
> Gesendet: Montag, 19. September 2022 08:38
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: AW: HOW TO ENABLE LDAPS ON TOMCAT 8.5
>
> Hello,
>
> > -----Ursprüngliche Nachricht-----
> > Von: rakesh meka <ra...@gmail.com>
> > Gesendet: Sonntag, 18. September 2022 22:57
> > An: Tomcat Users List <us...@tomcat.apache.org>
> > Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> >
> > Hi Thomas,
> >
> > Thanks your so much for the quick response and help.
> >
> > Having read all the response clearly once again.Not sure if I'm being
> foolish.
> >
> > First question:
> >
> > So here in general, I would like to just summarize that client will be
> > the application server where I have tomcat installed & application is
> deployed.
> > Server will the domain controller server(LDAPs certificate to be
> > installed as per the below Microsoft article).
> >
> > Please correct me if the understanding is correct ?
>
> Yes, private key (e.g. pfx) is installed on the server side, the AD domain
> controller, let's call it AD
>
> > Second Question:
> >
> > LDAPs certificate is to be installed domain controller. So that all
> > the other apps on different app servers can query by having connection
> > to domain controller (in other terms LDAPs server).
> >
>
> The server needs the pfx-file (private key) and also the certificates (end-
> certificate and intermediates if not already present).
> The private key is stored secretly and the certificate + intermediates are sent
> to the client during initial handshake.
>
> >
> > Third Question:
> >
> > Domain controller does already have the required certificates
> > installed for LDAP authentication already because previously when I
> > tried with port no:389. I could see successful LDAP Connection
> > established & user could login successfully.
> >
> > So now inorder to change from LDAP to LDAPS. Can now please let me
> > know the how could I proceed further
> >
> > IF LDAPS certificate to installed on the APPLICATION SERVER:
> > ---------------------------------
> > 1. generate the certificate request using keytool. Following the same
> > process as per article 2. Csr 3. Get it signed by CA.
> > 4. Keep CA's certificate in Java truststore.
> > 5. Then make the port changes & host(domain/LDAP server name).
> > 6. Restart the tomcat so that webapp is deployed automatically.
>
> The client only needs the CA certificate. Certificate requests are not needed,
> this is only done once for the server part.
> If an official CA was used (e.g. verisign), then the java client normally already
> has the CA certificate in the truststure.
> If not, you have to import the CAs certificate. The URL hast to change to
> https and the LDAPS-port 636.
>
> The client needs to be able to validate the certificate. For this validation, the
> certificates which are sent by the server are used (end-certificate,
> intermediates) and last but not least the CA certificate is used. This builds up
> a validation chain from the root-CA, intermediates up to the end-certificate.
> As the client trusts the root-CA, it also can trust the servers certificate (end-
> certificate).
>
> > Thanks & Regards,
> > Meka Rakesh.
> >
> >
> >
> > On Sun, Sep 18, 2022, 4:46 PM Thomas Hoffmann (Speed4Trade GmbH)
> > <Th...@speed4trade.com.invalid> wrote:
> >
> > > Hello,
> > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: rakesh meka <ra...@gmail.com>
> > > > Gesendet: Sonntag, 18. September 2022 11:53
> > > > An: Tomcat Users List <us...@tomcat.apache.org>
> > > > Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> > > >
> > > > Hi Thomas,
> > > >
> > > > Good day
> > > >
> > > > Thanks for the Response.
> > > >
> > > > I'm not using self signed certificate. I have given the csr file
> > > > to our organization certificate admin team. And they got it signed
> > > > by some third party vendor and gave me root& intermediate &domain
> > > > certificate where I already installed them using keytool on server
> > > > side. However, I didn't
> > > kept
> > > > those in Java truststore.
> > > >
> > > > So I confirm that domain certificate is not self signed.
> > > >
> > > > I got to know from one of my colleague that for LDAPs also we need
> > > > to generate certificate similarly like domain certificate. Is it
> > > > true? If
> > > yes can you
> > > > let me how to generate the certificate for LDAPs.
> > > >
> > > > Application: used by internal purpose Server : windows
> > > > server(actually LDAP authentication certificate is
> > > already
> > > > configured with windows truststore itseems).
> > > >
> > > >
> > > >
> > > > Thanks and Regards
> > > > Meka Rakesh.
> > >
> > > All the certificates based on public/private key work the same.
> > > Server needs private key and client needs public key(s).
> > > The only difference is the meta-data attached to the public key
> > > which then gets signed by a CA together with the public key.
> > > The required meta-data (OID etc) is described here:
> > > https://learn.microsoft.com/en-us/troubleshoot/windows-server/identi
> > > ty /enable-ldap-over-ssl-3rd-certification-authority
> > >
> > > So for using a java client, you only need to ensure that the public
> > > key/certificate of the signing CA (and intermediate certificates)
> > > are available in the java truststore.
> > > If correctly configured, the intermediate certificates are provided
> > > by the server, thus only the CA certificate is required on the client side.
> > > Usually the CAs certificate and the intermediates are sent back
> > > together with signed key (e.g. by verisign, thawte ...) You can also
> > > open your LDAPs certificate on windows and take a look at the
> > > certification tree. From there you can also double click on the
> > > needed certificate and export it if needed.
> > > Which certificates (intermediates) are provided by the server can be
> > > checked via openssl.
> > >
> > > Greetings, Thomas
> > >
> > > > On Sun, Sep 18, 2022, 12:31 PM Thomas Hoffmann (Speed4Trade
> GmbH)
> > > > <Th...@speed4trade.com.invalid> wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > > -----Ursprüngliche Nachricht-----
> > > > > > Von: rakesh meka <ra...@gmail.com>
> > > > > > Gesendet: Sonntag, 18. September 2022 05:03
> > > > > > An: Tomcat Users List <us...@tomcat.apache.org>
> > > > > > Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> > > > > >
> > > > > > Hi All ,
> > > > > >
> > > > > > Greetings for the day! Hope you are doing Great .
> > > > > >
> > > > > > Currently of the application is deplye Don the tomcat 8.5 uses
> > > > > > LDAP
> > > > > protocol
> > > > > > for AD authentication of sap users. I need to change the LDAP
> > > > > > to
> > > LDAPS.
> > > > > So I
> > > > > > installed domain certificate using keytool. But when i change
> > > > > > the port number to 636 I see an error saying LDAP Connection
> > > > > > has been
> > > > closed.
> > > > > >
> > > > > > I need your help to how to enable the process for
> > > > > > enabling/Changing
> > > > > LDAPS.
> > > > > > Do I need to import the LDAP certificate to the tomcat
> > > > > > truststore and
> > > > > then
> > > > > > import certificate to keystore ?
> > > > > >
> > > > > >
> > > > > > Thanks in Advance,
> > > > > >
> > > > > > Meka Rakesh.
> > > > >
> > > > > If you are using a self signed certificate on server-side, then
> > > > > you need to import the corresponding certificate (signed public
> > > > > key) to the java truststore.
> > > > > Keystore is used for private keys and not relevant in this case.
> > > > >
> > > > > Greetings, Thomas
> > > > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Rakesh,
On 9/20/22 17:56, rakesh meka wrote:
> I will just ask the my AD team to provide the CA certificate which is
> already installed on the AD domain controller and then place it in client
> (tomcat web server) trust store if it is not official.
If you post your configuration, we may be able to help point you in the
right direction.
> Apart from this, i have done some much R&D in this concern but found mixed
> answers. By if you have an idea, can you please share any insights.
>
> While generating keystore/csr for SSL/TLS using keytool, I used RSA and my
> CA Team wants me to use 4096 as keysize. And when i configured. I recieve
> certificate is invalid in browser.
The browser is telling you that the certificate is *untrusted*, not invalid.
> Then the first question raised is does keytool RSA support 4096 or
> only 2048 keysize encryption. Java 1.8
Java supports arbitrary key sizes up to 16384 for RSA keys. Oddly
enough, keytool for Java 8 will tell you that's the maximum. Later
versions (I used 16.something) will just say "invalid key size" for
those larger than 16k.
-chris
> On Mon, Sep 19, 2022, 12:09 PM Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.invalid> wrote:
>
>> Hello,
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: rakesh meka <ra...@gmail.com>
>>> Gesendet: Sonntag, 18. September 2022 22:57
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
>>>
>>> Hi Thomas,
>>>
>>> Thanks your so much for the quick response and help.
>>>
>>> Having read all the response clearly once again.Not sure if I'm being
>> foolish.
>>>
>>> First question:
>>>
>>> So here in general, I would like to just summarize that client will be
>> the
>>> application server where I have tomcat installed & application is
>> deployed.
>>> Server will the domain controller server(LDAPs certificate to be
>> installed as
>>> per the below Microsoft article).
>>>
>>> Please correct me if the understanding is correct ?
>>
>> Yes, private key (e.g. pfx) is installed on the server side, the AD domain
>> controller, let's call it AD
>>
>>> Second Question:
>>>
>>> LDAPs certificate is to be installed domain controller. So that all the
>> other
>>> apps on different app servers can query by having connection to domain
>>> controller (in other terms LDAPs server).
>>>
>>
>> The server needs the pfx-file (private key) and also the certificates
>> (end-certificate and intermediates if not already present).
>> The private key is stored secretly and the certificate + intermediates are
>> sent to the client during initial handshake.
>>
>>>
>>> Third Question:
>>>
>>> Domain controller does already have the required certificates installed
>> for
>>> LDAP authentication already because previously when I tried with port
>>> no:389. I could see successful LDAP Connection established & user could
>>> login successfully.
>>>
>>> So now inorder to change from LDAP to LDAPS. Can now please let me know
>>> the how could I proceed further
>>>
>>> IF LDAPS certificate to installed on the APPLICATION SERVER:
>>> ---------------------------------
>>> 1. generate the certificate request using keytool. Following the same
>> process
>>> as per article 2. Csr 3. Get it signed by CA.
>>> 4. Keep CA's certificate in Java truststore.
>>> 5. Then make the port changes & host(domain/LDAP server name).
>>> 6. Restart the tomcat so that webapp is deployed automatically.
>>
>> The client only needs the CA certificate. Certificate requests are not
>> needed, this is only done once for the server part.
>> If an official CA was used (e.g. verisign), then the java client normally
>> already has the CA certificate in the truststure.
>> If not, you have to import the CAs certificate. The URL hast to change to
>> https and the LDAPS-port 636.
>>
>> The client needs to be able to validate the certificate. For this
>> validation, the certificates which are sent by the server are used
>> (end-certificate, intermediates)
>> and last but not least the CA certificate is used. This builds up a
>> validation chain from the root-CA, intermediates up to the end-certificate.
>> As the client trusts the root-CA, it also can trust the servers
>> certificate (end-certificate).
>>
>>> Thanks & Regards,
>>> Meka Rakesh.
>>>
>>>
>>>
>>> On Sun, Sep 18, 2022, 4:46 PM Thomas Hoffmann (Speed4Trade GmbH)
>>> <Th...@speed4trade.com.invalid> wrote:
>>>
>>>> Hello,
>>>>
>>>>> -----Ursprüngliche Nachricht-----
>>>>> Von: rakesh meka <ra...@gmail.com>
>>>>> Gesendet: Sonntag, 18. September 2022 11:53
>>>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>>>> Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
>>>>>
>>>>> Hi Thomas,
>>>>>
>>>>> Good day
>>>>>
>>>>> Thanks for the Response.
>>>>>
>>>>> I'm not using self signed certificate. I have given the csr file to
>>>>> our organization certificate admin team. And they got it signed by
>>>>> some third party vendor and gave me root& intermediate &domain
>>>>> certificate where I already installed them using keytool on server
>>>>> side. However, I didn't
>>>> kept
>>>>> those in Java truststore.
>>>>>
>>>>> So I confirm that domain certificate is not self signed.
>>>>>
>>>>> I got to know from one of my colleague that for LDAPs also we need
>>>>> to generate certificate similarly like domain certificate. Is it
>>>>> true? If
>>>> yes can you
>>>>> let me how to generate the certificate for LDAPs.
>>>>>
>>>>> Application: used by internal purpose Server : windows
>>>>> server(actually LDAP authentication certificate is
>>>> already
>>>>> configured with windows truststore itseems).
>>>>>
>>>>>
>>>>>
>>>>> Thanks and Regards
>>>>> Meka Rakesh.
>>>>
>>>> All the certificates based on public/private key work the same.
>>>> Server needs private key and client needs public key(s).
>>>> The only difference is the meta-data attached to the public key which
>>>> then gets signed by a CA together with the public key.
>>>> The required meta-data (OID etc) is described here:
>>>> https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity
>>>> /enable-ldap-over-ssl-3rd-certification-authority
>>>>
>>>> So for using a java client, you only need to ensure that the public
>>>> key/certificate of the signing CA (and intermediate certificates) are
>>>> available in the java truststore.
>>>> If correctly configured, the intermediate certificates are provided by
>>>> the server, thus only the CA certificate is required on the client
>> side.
>>>> Usually the CAs certificate and the intermediates are sent back
>>>> together with signed key (e.g. by verisign, thawte ...) You can also
>>>> open your LDAPs certificate on windows and take a look at the
>>>> certification tree. From there you can also double click on the needed
>>>> certificate and export it if needed.
>>>> Which certificates (intermediates) are provided by the server can be
>>>> checked via openssl.
>>>>
>>>> Greetings, Thomas
>>>>
>>>>> On Sun, Sep 18, 2022, 12:31 PM Thomas Hoffmann (Speed4Trade GmbH)
>>>>> <Th...@speed4trade.com.invalid> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>> Von: rakesh meka <ra...@gmail.com>
>>>>>>> Gesendet: Sonntag, 18. September 2022 05:03
>>>>>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>>>>>> Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5
>>>>>>>
>>>>>>> Hi All ,
>>>>>>>
>>>>>>> Greetings for the day! Hope you are doing Great .
>>>>>>>
>>>>>>> Currently of the application is deplye Don the tomcat 8.5 uses
>>>>>>> LDAP
>>>>>> protocol
>>>>>>> for AD authentication of sap users. I need to change the LDAP to
>>>> LDAPS.
>>>>>> So I
>>>>>>> installed domain certificate using keytool. But when i change
>>>>>>> the port number to 636 I see an error saying LDAP Connection has
>>>>>>> been
>>>>> closed.
>>>>>>>
>>>>>>> I need your help to how to enable the process for
>>>>>>> enabling/Changing
>>>>>> LDAPS.
>>>>>>> Do I need to import the LDAP certificate to the tomcat
>>>>>>> truststore and
>>>>>> then
>>>>>>> import certificate to keystore ?
>>>>>>>
>>>>>>>
>>>>>>> Thanks in Advance,
>>>>>>>
>>>>>>> Meka Rakesh.
>>>>>>
>>>>>> If you are using a self signed certificate on server-side, then
>>>>>> you need to import the corresponding certificate (signed public
>>>>>> key) to the java truststore.
>>>>>> Keystore is used for private keys and not relevant in this case.
>>>>>>
>>>>>> Greetings, Thomas
>>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
Posted by rakesh meka <ra...@gmail.com>.
Hi Thomas,
Really Thank you so much for the response.
I will just ask the my AD team to provide the CA certificate which is
already installed on the AD domain controller and then place it in client
(tomcat web server) trust store if it is not official.
Apart from this, i have done some much R&D in this concern but found mixed
answers. By if you have an idea, can you please share any insights.
While generating keystore/csr for SSL/TLS using keytool, I used RSA and my
CA Team wants me to use 4096 as keysize. And when i configured. I recieve
certificate is invalid in browser. Then the first question raised is does
keytool RSA support 4096 or only 2048 keysize encryption.
Java 1.8
I really appreciate your help and Thanks much once again.
Regards
Meka Rakesh.
On Mon, Sep 19, 2022, 12:09 PM Thomas Hoffmann (Speed4Trade GmbH)
<Th...@speed4trade.com.invalid> wrote:
> Hello,
>
> > -----Ursprüngliche Nachricht-----
> > Von: rakesh meka <ra...@gmail.com>
> > Gesendet: Sonntag, 18. September 2022 22:57
> > An: Tomcat Users List <us...@tomcat.apache.org>
> > Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> >
> > Hi Thomas,
> >
> > Thanks your so much for the quick response and help.
> >
> > Having read all the response clearly once again.Not sure if I'm being
> foolish.
> >
> > First question:
> >
> > So here in general, I would like to just summarize that client will be
> the
> > application server where I have tomcat installed & application is
> deployed.
> > Server will the domain controller server(LDAPs certificate to be
> installed as
> > per the below Microsoft article).
> >
> > Please correct me if the understanding is correct ?
>
> Yes, private key (e.g. pfx) is installed on the server side, the AD domain
> controller, let's call it AD
>
> > Second Question:
> >
> > LDAPs certificate is to be installed domain controller. So that all the
> other
> > apps on different app servers can query by having connection to domain
> > controller (in other terms LDAPs server).
> >
>
> The server needs the pfx-file (private key) and also the certificates
> (end-certificate and intermediates if not already present).
> The private key is stored secretly and the certificate + intermediates are
> sent to the client during initial handshake.
>
> >
> > Third Question:
> >
> > Domain controller does already have the required certificates installed
> for
> > LDAP authentication already because previously when I tried with port
> > no:389. I could see successful LDAP Connection established & user could
> > login successfully.
> >
> > So now inorder to change from LDAP to LDAPS. Can now please let me know
> > the how could I proceed further
> >
> > IF LDAPS certificate to installed on the APPLICATION SERVER:
> > ---------------------------------
> > 1. generate the certificate request using keytool. Following the same
> process
> > as per article 2. Csr 3. Get it signed by CA.
> > 4. Keep CA's certificate in Java truststore.
> > 5. Then make the port changes & host(domain/LDAP server name).
> > 6. Restart the tomcat so that webapp is deployed automatically.
>
> The client only needs the CA certificate. Certificate requests are not
> needed, this is only done once for the server part.
> If an official CA was used (e.g. verisign), then the java client normally
> already has the CA certificate in the truststure.
> If not, you have to import the CAs certificate. The URL hast to change to
> https and the LDAPS-port 636.
>
> The client needs to be able to validate the certificate. For this
> validation, the certificates which are sent by the server are used
> (end-certificate, intermediates)
> and last but not least the CA certificate is used. This builds up a
> validation chain from the root-CA, intermediates up to the end-certificate.
> As the client trusts the root-CA, it also can trust the servers
> certificate (end-certificate).
>
> > Thanks & Regards,
> > Meka Rakesh.
> >
> >
> >
> > On Sun, Sep 18, 2022, 4:46 PM Thomas Hoffmann (Speed4Trade GmbH)
> > <Th...@speed4trade.com.invalid> wrote:
> >
> > > Hello,
> > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: rakesh meka <ra...@gmail.com>
> > > > Gesendet: Sonntag, 18. September 2022 11:53
> > > > An: Tomcat Users List <us...@tomcat.apache.org>
> > > > Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> > > >
> > > > Hi Thomas,
> > > >
> > > > Good day
> > > >
> > > > Thanks for the Response.
> > > >
> > > > I'm not using self signed certificate. I have given the csr file to
> > > > our organization certificate admin team. And they got it signed by
> > > > some third party vendor and gave me root& intermediate &domain
> > > > certificate where I already installed them using keytool on server
> > > > side. However, I didn't
> > > kept
> > > > those in Java truststore.
> > > >
> > > > So I confirm that domain certificate is not self signed.
> > > >
> > > > I got to know from one of my colleague that for LDAPs also we need
> > > > to generate certificate similarly like domain certificate. Is it
> > > > true? If
> > > yes can you
> > > > let me how to generate the certificate for LDAPs.
> > > >
> > > > Application: used by internal purpose Server : windows
> > > > server(actually LDAP authentication certificate is
> > > already
> > > > configured with windows truststore itseems).
> > > >
> > > >
> > > >
> > > > Thanks and Regards
> > > > Meka Rakesh.
> > >
> > > All the certificates based on public/private key work the same.
> > > Server needs private key and client needs public key(s).
> > > The only difference is the meta-data attached to the public key which
> > > then gets signed by a CA together with the public key.
> > > The required meta-data (OID etc) is described here:
> > > https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity
> > > /enable-ldap-over-ssl-3rd-certification-authority
> > >
> > > So for using a java client, you only need to ensure that the public
> > > key/certificate of the signing CA (and intermediate certificates) are
> > > available in the java truststore.
> > > If correctly configured, the intermediate certificates are provided by
> > > the server, thus only the CA certificate is required on the client
> side.
> > > Usually the CAs certificate and the intermediates are sent back
> > > together with signed key (e.g. by verisign, thawte ...) You can also
> > > open your LDAPs certificate on windows and take a look at the
> > > certification tree. From there you can also double click on the needed
> > > certificate and export it if needed.
> > > Which certificates (intermediates) are provided by the server can be
> > > checked via openssl.
> > >
> > > Greetings, Thomas
> > >
> > > > On Sun, Sep 18, 2022, 12:31 PM Thomas Hoffmann (Speed4Trade GmbH)
> > > > <Th...@speed4trade.com.invalid> wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > > -----Ursprüngliche Nachricht-----
> > > > > > Von: rakesh meka <ra...@gmail.com>
> > > > > > Gesendet: Sonntag, 18. September 2022 05:03
> > > > > > An: Tomcat Users List <us...@tomcat.apache.org>
> > > > > > Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> > > > > >
> > > > > > Hi All ,
> > > > > >
> > > > > > Greetings for the day! Hope you are doing Great .
> > > > > >
> > > > > > Currently of the application is deplye Don the tomcat 8.5 uses
> > > > > > LDAP
> > > > > protocol
> > > > > > for AD authentication of sap users. I need to change the LDAP to
> > > LDAPS.
> > > > > So I
> > > > > > installed domain certificate using keytool. But when i change
> > > > > > the port number to 636 I see an error saying LDAP Connection has
> > > > > > been
> > > > closed.
> > > > > >
> > > > > > I need your help to how to enable the process for
> > > > > > enabling/Changing
> > > > > LDAPS.
> > > > > > Do I need to import the LDAP certificate to the tomcat
> > > > > > truststore and
> > > > > then
> > > > > > import certificate to keystore ?
> > > > > >
> > > > > >
> > > > > > Thanks in Advance,
> > > > > >
> > > > > > Meka Rakesh.
> > > > >
> > > > > If you are using a self signed certificate on server-side, then
> > > > > you need to import the corresponding certificate (signed public
> > > > > key) to the java truststore.
> > > > > Keystore is used for private keys and not relevant in this case.
> > > > >
> > > > > Greetings, Thomas
> > > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
>
AW: HOW TO ENABLE LDAPS ON TOMCAT 8.5
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello,
> -----Ursprüngliche Nachricht-----
> Von: rakesh meka <ra...@gmail.com>
> Gesendet: Sonntag, 18. September 2022 22:57
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
>
> Hi Thomas,
>
> Thanks your so much for the quick response and help.
>
> Having read all the response clearly once again.Not sure if I'm being foolish.
>
> First question:
>
> So here in general, I would like to just summarize that client will be the
> application server where I have tomcat installed & application is deployed.
> Server will the domain controller server(LDAPs certificate to be installed as
> per the below Microsoft article).
>
> Please correct me if the understanding is correct ?
Yes, private key (e.g. pfx) is installed on the server side, the AD domain controller, let's call it AD
> Second Question:
>
> LDAPs certificate is to be installed domain controller. So that all the other
> apps on different app servers can query by having connection to domain
> controller (in other terms LDAPs server).
>
The server needs the pfx-file (private key) and also the certificates (end-certificate and intermediates if not already present).
The private key is stored secretly and the certificate + intermediates are sent to the client during initial handshake.
>
> Third Question:
>
> Domain controller does already have the required certificates installed for
> LDAP authentication already because previously when I tried with port
> no:389. I could see successful LDAP Connection established & user could
> login successfully.
>
> So now inorder to change from LDAP to LDAPS. Can now please let me know
> the how could I proceed further
>
> IF LDAPS certificate to installed on the APPLICATION SERVER:
> ---------------------------------
> 1. generate the certificate request using keytool. Following the same process
> as per article 2. Csr 3. Get it signed by CA.
> 4. Keep CA's certificate in Java truststore.
> 5. Then make the port changes & host(domain/LDAP server name).
> 6. Restart the tomcat so that webapp is deployed automatically.
The client only needs the CA certificate. Certificate requests are not needed, this is only done once for the server part.
If an official CA was used (e.g. verisign), then the java client normally already has the CA certificate in the truststure.
If not, you have to import the CAs certificate. The URL hast to change to https and the LDAPS-port 636.
The client needs to be able to validate the certificate. For this validation, the certificates which are sent by the server are used (end-certificate, intermediates)
and last but not least the CA certificate is used. This builds up a validation chain from the root-CA, intermediates up to the end-certificate.
As the client trusts the root-CA, it also can trust the servers certificate (end-certificate).
> Thanks & Regards,
> Meka Rakesh.
>
>
>
> On Sun, Sep 18, 2022, 4:46 PM Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.invalid> wrote:
>
> > Hello,
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: rakesh meka <ra...@gmail.com>
> > > Gesendet: Sonntag, 18. September 2022 11:53
> > > An: Tomcat Users List <us...@tomcat.apache.org>
> > > Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> > >
> > > Hi Thomas,
> > >
> > > Good day
> > >
> > > Thanks for the Response.
> > >
> > > I'm not using self signed certificate. I have given the csr file to
> > > our organization certificate admin team. And they got it signed by
> > > some third party vendor and gave me root& intermediate &domain
> > > certificate where I already installed them using keytool on server
> > > side. However, I didn't
> > kept
> > > those in Java truststore.
> > >
> > > So I confirm that domain certificate is not self signed.
> > >
> > > I got to know from one of my colleague that for LDAPs also we need
> > > to generate certificate similarly like domain certificate. Is it
> > > true? If
> > yes can you
> > > let me how to generate the certificate for LDAPs.
> > >
> > > Application: used by internal purpose Server : windows
> > > server(actually LDAP authentication certificate is
> > already
> > > configured with windows truststore itseems).
> > >
> > >
> > >
> > > Thanks and Regards
> > > Meka Rakesh.
> >
> > All the certificates based on public/private key work the same.
> > Server needs private key and client needs public key(s).
> > The only difference is the meta-data attached to the public key which
> > then gets signed by a CA together with the public key.
> > The required meta-data (OID etc) is described here:
> > https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity
> > /enable-ldap-over-ssl-3rd-certification-authority
> >
> > So for using a java client, you only need to ensure that the public
> > key/certificate of the signing CA (and intermediate certificates) are
> > available in the java truststore.
> > If correctly configured, the intermediate certificates are provided by
> > the server, thus only the CA certificate is required on the client side.
> > Usually the CAs certificate and the intermediates are sent back
> > together with signed key (e.g. by verisign, thawte ...) You can also
> > open your LDAPs certificate on windows and take a look at the
> > certification tree. From there you can also double click on the needed
> > certificate and export it if needed.
> > Which certificates (intermediates) are provided by the server can be
> > checked via openssl.
> >
> > Greetings, Thomas
> >
> > > On Sun, Sep 18, 2022, 12:31 PM Thomas Hoffmann (Speed4Trade GmbH)
> > > <Th...@speed4trade.com.invalid> wrote:
> > >
> > > > Hello,
> > > >
> > > > > -----Ursprüngliche Nachricht-----
> > > > > Von: rakesh meka <ra...@gmail.com>
> > > > > Gesendet: Sonntag, 18. September 2022 05:03
> > > > > An: Tomcat Users List <us...@tomcat.apache.org>
> > > > > Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> > > > >
> > > > > Hi All ,
> > > > >
> > > > > Greetings for the day! Hope you are doing Great .
> > > > >
> > > > > Currently of the application is deplye Don the tomcat 8.5 uses
> > > > > LDAP
> > > > protocol
> > > > > for AD authentication of sap users. I need to change the LDAP to
> > LDAPS.
> > > > So I
> > > > > installed domain certificate using keytool. But when i change
> > > > > the port number to 636 I see an error saying LDAP Connection has
> > > > > been
> > > closed.
> > > > >
> > > > > I need your help to how to enable the process for
> > > > > enabling/Changing
> > > > LDAPS.
> > > > > Do I need to import the LDAP certificate to the tomcat
> > > > > truststore and
> > > > then
> > > > > import certificate to keystore ?
> > > > >
> > > > >
> > > > > Thanks in Advance,
> > > > >
> > > > > Meka Rakesh.
> > > >
> > > > If you are using a self signed certificate on server-side, then
> > > > you need to import the corresponding certificate (signed public
> > > > key) to the java truststore.
> > > > Keystore is used for private keys and not relevant in this case.
> > > >
> > > > Greetings, Thomas
> > > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
Posted by rakesh meka <ra...@gmail.com>.
Hi Thomas,
Thanks your so much for the quick response and help.
Having read all the response clearly once again.Not sure if I'm being
foolish.
First question:
So here in general, I would like to just summarize that client will be the
application server where I have tomcat installed & application is deployed.
Server will the domain controller server(LDAPs certificate to be installed
as per the below Microsoft article).
Please correct me if the understanding is correct ?
Second Question:
LDAPs certificate is to be installed domain controller. So that all the
other apps on different app servers can query by having connection to
domain controller (in other terms LDAPs server).
Third Question:
Domain controller does already have the required certificates installed for
LDAP authentication already because previously when I tried with port
no:389. I could see successful LDAP Connection established & user could
login successfully.
So now inorder to change from LDAP to LDAPS. Can now please let me know the
how could I proceed further
IF LDAPS certificate to installed on the APPLICATION SERVER:
---------------------------------
1. generate the certificate request using keytool. Following the same
process as per article
2. Csr
3. Get it signed by CA.
4. Keep CA's certificate in Java truststore.
5. Then make the port changes & host(domain/LDAP server name).
6. Restart the tomcat so that webapp is deployed automatically.
Thanks & Regards,
Meka Rakesh.
On Sun, Sep 18, 2022, 4:46 PM Thomas Hoffmann (Speed4Trade GmbH)
<Th...@speed4trade.com.invalid> wrote:
> Hello,
>
> > -----Ursprüngliche Nachricht-----
> > Von: rakesh meka <ra...@gmail.com>
> > Gesendet: Sonntag, 18. September 2022 11:53
> > An: Tomcat Users List <us...@tomcat.apache.org>
> > Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> >
> > Hi Thomas,
> >
> > Good day
> >
> > Thanks for the Response.
> >
> > I'm not using self signed certificate. I have given the csr file to our
> > organization certificate admin team. And they got it signed by some third
> > party vendor and gave me root& intermediate &domain certificate where I
> > already installed them using keytool on server side. However, I didn't
> kept
> > those in Java truststore.
> >
> > So I confirm that domain certificate is not self signed.
> >
> > I got to know from one of my colleague that for LDAPs also we need to
> > generate certificate similarly like domain certificate. Is it true? If
> yes can you
> > let me how to generate the certificate for LDAPs.
> >
> > Application: used by internal purpose
> > Server : windows server(actually LDAP authentication certificate is
> already
> > configured with windows truststore itseems).
> >
> >
> >
> > Thanks and Regards
> > Meka Rakesh.
>
> All the certificates based on public/private key work the same.
> Server needs private key and client needs public key(s).
> The only difference is the meta-data attached to the public key which then
> gets signed by a CA together with the public key.
> The required meta-data (OID etc) is described here:
> https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
>
> So for using a java client, you only need to ensure that the public
> key/certificate of the signing CA (and intermediate certificates) are
> available in the java truststore.
> If correctly configured, the intermediate certificates are provided by the
> server, thus only the CA certificate is required on the client side.
> Usually the CAs certificate and the intermediates are sent back together
> with signed key (e.g. by verisign, thawte ...)
> You can also open your LDAPs certificate on windows and take a look at the
> certification tree. From there you can also double click on the needed
> certificate and export it if needed.
> Which certificates (intermediates) are provided by the server can be
> checked via openssl.
>
> Greetings, Thomas
>
> > On Sun, Sep 18, 2022, 12:31 PM Thomas Hoffmann (Speed4Trade GmbH)
> > <Th...@speed4trade.com.invalid> wrote:
> >
> > > Hello,
> > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: rakesh meka <ra...@gmail.com>
> > > > Gesendet: Sonntag, 18. September 2022 05:03
> > > > An: Tomcat Users List <us...@tomcat.apache.org>
> > > > Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> > > >
> > > > Hi All ,
> > > >
> > > > Greetings for the day! Hope you are doing Great .
> > > >
> > > > Currently of the application is deplye Don the tomcat 8.5 uses LDAP
> > > protocol
> > > > for AD authentication of sap users. I need to change the LDAP to
> LDAPS.
> > > So I
> > > > installed domain certificate using keytool. But when i change the
> > > > port number to 636 I see an error saying LDAP Connection has been
> > closed.
> > > >
> > > > I need your help to how to enable the process for enabling/Changing
> > > LDAPS.
> > > > Do I need to import the LDAP certificate to the tomcat truststore
> > > > and
> > > then
> > > > import certificate to keystore ?
> > > >
> > > >
> > > > Thanks in Advance,
> > > >
> > > > Meka Rakesh.
> > >
> > > If you are using a self signed certificate on server-side, then you
> > > need to import the corresponding certificate (signed public key) to
> > > the java truststore.
> > > Keystore is used for private keys and not relevant in this case.
> > >
> > > Greetings, Thomas
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
AW: HOW TO ENABLE LDAPS ON TOMCAT 8.5
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello,
> -----Ursprüngliche Nachricht-----
> Von: rakesh meka <ra...@gmail.com>
> Gesendet: Sonntag, 18. September 2022 11:53
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
>
> Hi Thomas,
>
> Good day
>
> Thanks for the Response.
>
> I'm not using self signed certificate. I have given the csr file to our
> organization certificate admin team. And they got it signed by some third
> party vendor and gave me root& intermediate &domain certificate where I
> already installed them using keytool on server side. However, I didn't kept
> those in Java truststore.
>
> So I confirm that domain certificate is not self signed.
>
> I got to know from one of my colleague that for LDAPs also we need to
> generate certificate similarly like domain certificate. Is it true? If yes can you
> let me how to generate the certificate for LDAPs.
>
> Application: used by internal purpose
> Server : windows server(actually LDAP authentication certificate is already
> configured with windows truststore itseems).
>
>
>
> Thanks and Regards
> Meka Rakesh.
All the certificates based on public/private key work the same.
Server needs private key and client needs public key(s).
The only difference is the meta-data attached to the public key which then gets signed by a CA together with the public key.
The required meta-data (OID etc) is described here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
So for using a java client, you only need to ensure that the public key/certificate of the signing CA (and intermediate certificates) are available in the java truststore.
If correctly configured, the intermediate certificates are provided by the server, thus only the CA certificate is required on the client side.
Usually the CAs certificate and the intermediates are sent back together with signed key (e.g. by verisign, thawte ...)
You can also open your LDAPs certificate on windows and take a look at the certification tree. From there you can also double click on the needed certificate and export it if needed.
Which certificates (intermediates) are provided by the server can be checked via openssl.
Greetings, Thomas
> On Sun, Sep 18, 2022, 12:31 PM Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.invalid> wrote:
>
> > Hello,
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: rakesh meka <ra...@gmail.com>
> > > Gesendet: Sonntag, 18. September 2022 05:03
> > > An: Tomcat Users List <us...@tomcat.apache.org>
> > > Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> > >
> > > Hi All ,
> > >
> > > Greetings for the day! Hope you are doing Great .
> > >
> > > Currently of the application is deplye Don the tomcat 8.5 uses LDAP
> > protocol
> > > for AD authentication of sap users. I need to change the LDAP to LDAPS.
> > So I
> > > installed domain certificate using keytool. But when i change the
> > > port number to 636 I see an error saying LDAP Connection has been
> closed.
> > >
> > > I need your help to how to enable the process for enabling/Changing
> > LDAPS.
> > > Do I need to import the LDAP certificate to the tomcat truststore
> > > and
> > then
> > > import certificate to keystore ?
> > >
> > >
> > > Thanks in Advance,
> > >
> > > Meka Rakesh.
> >
> > If you are using a self signed certificate on server-side, then you
> > need to import the corresponding certificate (signed public key) to
> > the java truststore.
> > Keystore is used for private keys and not relevant in this case.
> >
> > Greetings, Thomas
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
Posted by rakesh meka <ra...@gmail.com>.
Hi Thomas,
Good day
Thanks for the Response.
I'm not using self signed certificate. I have given the csr file to our
organization certificate admin team. And they got it signed by some third
party vendor and gave me root& intermediate &domain certificate where I
already installed them using keytool on server side. However, I didn't kept
those in Java truststore.
So I confirm that domain certificate is not self signed.
I got to know from one of my colleague that for LDAPs also we need to
generate certificate similarly like domain certificate. Is it true? If yes
can you let me how to generate the certificate for LDAPs.
Application: used by internal purpose
Server : windows server(actually LDAP authentication certificate is already
configured with windows truststore itseems).
Thanks and Regards
Meka Rakesh.
On Sun, Sep 18, 2022, 12:31 PM Thomas Hoffmann (Speed4Trade GmbH)
<Th...@speed4trade.com.invalid> wrote:
> Hello,
>
> > -----Ursprüngliche Nachricht-----
> > Von: rakesh meka <ra...@gmail.com>
> > Gesendet: Sonntag, 18. September 2022 05:03
> > An: Tomcat Users List <us...@tomcat.apache.org>
> > Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5
> >
> > Hi All ,
> >
> > Greetings for the day! Hope you are doing Great .
> >
> > Currently of the application is deplye Don the tomcat 8.5 uses LDAP
> protocol
> > for AD authentication of sap users. I need to change the LDAP to LDAPS.
> So I
> > installed domain certificate using keytool. But when i change the port
> > number to 636 I see an error saying LDAP Connection has been closed.
> >
> > I need your help to how to enable the process for enabling/Changing
> LDAPS.
> > Do I need to import the LDAP certificate to the tomcat truststore and
> then
> > import certificate to keystore ?
> >
> >
> > Thanks in Advance,
> >
> > Meka Rakesh.
>
> If you are using a self signed certificate on server-side, then you need
> to import
> the corresponding certificate (signed public key) to the java truststore.
> Keystore is used for private keys and not relevant in this case.
>
> Greetings, Thomas
>
AW: HOW TO ENABLE LDAPS ON TOMCAT 8.5
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello,
> -----Ursprüngliche Nachricht-----
> Von: rakesh meka <ra...@gmail.com>
> Gesendet: Sonntag, 18. September 2022 05:03
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5
>
> Hi All ,
>
> Greetings for the day! Hope you are doing Great .
>
> Currently of the application is deplye Don the tomcat 8.5 uses LDAP protocol
> for AD authentication of sap users. I need to change the LDAP to LDAPS. So I
> installed domain certificate using keytool. But when i change the port
> number to 636 I see an error saying LDAP Connection has been closed.
>
> I need your help to how to enable the process for enabling/Changing LDAPS.
> Do I need to import the LDAP certificate to the tomcat truststore and then
> import certificate to keystore ?
>
>
> Thanks in Advance,
>
> Meka Rakesh.
If you are using a self signed certificate on server-side, then you need to import
the corresponding certificate (signed public key) to the java truststore.
Keystore is used for private keys and not relevant in this case.
Greetings, Thomas
Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Rakesh,
On 9/17/22 23:02, rakesh meka wrote:
> Currently of the application is deplye Don the tomcat 8.5 uses LDAP
> protocol for AD authentication of sap users. I need to change the LDAP to
> LDAPS. So I installed domain certificate using keytool. But when i change
> the port number to 636 I see an error saying LDAP Connection has been
> closed.
>
> I need your help to how to enable the process for enabling/Changing LDAPS.
> Do I need to import the LDAP certificate to the tomcat truststore and then
> import certificate to keystore ?
Can you please post your WORKING non-secure LDAP configuration back to
the list? When asking about how to configure things, please always
include the configuration you already have.
Please remember to remove any secrets that may be in your configuration
before posting.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org