You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nathan Fiedler <nf...@bluemarsh.com> on 2007/03/15 08:39:59 UTC
JNDIRealm over SSL to OpenLDAP
While I can configure OpenLDAP and Tomcat 6 to connect over port 389,
without SSL, I cannot get it to work with a secure connection. All I
have done is set OpenLDAP to require SSL/TLS, which I know is working
fine, and modified the realm configuration to use port 636 and the ldaps
protocol. Given the lack of documentation in this area, I don't know
what else to try.
Here is my realm definition:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldaps://localhost:636"
userPattern="uid={0},ou=people,dc=bluemarsh,dc=com"
roleBase="ou=groups,dc=bluemarsh,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"/>
The exception in the catalina.out file is pasted below (sorry about the
length, but I'm afraid of trimming off any useful detail).
My questions are:
1) Does LDAP over SSL work in Tomcat 6?
2) If so, how do I get it to work?
Thanks
n
P.S. I searched the lists, FAQ, and bug database. It seems the only
thing I can find are some outdated emails without any solution.
WARNING: Exception performing authentication
javax.naming.CommunicationException: anonymous bind failed:
localhost:636 [Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:176)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1575)
at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:1664)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1007)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:448)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:621)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:393)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:170)
... 24 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
... 36 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
... 42 more
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JNDIRealm over SSL to OpenLDAP
Posted by Nicholas Sushkin <ns...@openfinance.com>.
Nathan,
Judging from the exception, perhaps the problem is that the SSL certificate
used by OpenLDAP could not be validated by Java. It could be that you're
using a self signed certificate and Java does not trust it. If you are
using a certificate signed by a third party, check that the root
certificate in your certificate chain is recognized by Java.
See http://mindprod.com/jgloss/certificate.html#VIEWING
On Thursday 15 March 2007 03:39, Nathan Fiedler wrote:
> P.S. I searched the lists, FAQ, and bug database. It seems the only
> thing I can find are some outdated emails without any solution.
>
>
> WARNING: Exception performing authentication
> javax.naming.CommunicationException: anonymous bind failed:
> localhost:636 [Root exception is javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target]
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:176)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
> ...
--
Nicholas Sushkin, Senior Software Engineer
Open Finance, Chelsea Piers Pier 62 Suite 316, New York NY 10011
Tel +1 646 723 2790 Fax +1 646 723 2789 nsushkin@openfinance.com