topic Re: Open LDAP with SSL/TLS and Alfresco 4.0.c in Alfresco Archive

Open LDAP with SSL/TLS and Alfresco 4.0.c

ashwini — Fri, 13 Jul 2012 15:11:53 GMT

Hi , I tried configuring Open LDAP with SSL/TLS with Alfresco 4.0.c and getting exception :My Configurations are as below :I have added below line in alfresco-global.properties fileauthentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap‍Created folder structure as below and copied files from subs

Re: Open LDAP with SSL/TLS and Alfresco 4.0.c

iblanco — Sat, 14 Jul 2012 18:27:53 GMT

Does the keystore exist ? It looks like a problem not with Alfresco but with Java. You must make sure that the Java running tomcat does validate the certificate send by your LDAP server or configure JVM to ignore invalid Certificates. But it seems your problem is previous.

I know is not the direct solution for your problem but hope it points you to the right direction to check.

Bye.

Re: Open LDAP with SSL/TLS and Alfresco 4.0.c

ashwini — Tue, 17 Jul 2012 13:48:39 GMT

Hello ,

I think you are right, when I checked connection using certificate its successful as shown below

alfadmin@alfresc-VM:~$ java -Djavax.net.ssl.trustStore=/etc/java/keystore SSLPoke email.datamatics.eu 636
Successfully connected
alfadmin@alfresc-VM:~$ 
‍‍‍‍

Could you please tell me how can I check, weather certificates get validated by tomcat or not ?

Regards,
Ashwini

Re: Open LDAP with SSL/TLS and Alfresco 4.0.c

iblanco — Tue, 17 Jul 2012 14:46:53 GMT

Does Alfresco work properly without LDAP configuration ? I'm not 100% sure your problem is LDAP related.

Have you tried specifying your keystore in JAVA_OPTS environment variable ??? If you have a vanilla tomcat installed probably editing catalina.sh (or catalina.bat in windows) and adding "-Djavax.net.ssl.trustStore=/etc/java/keystore" and/or "-Djavax.net.ssl.keyStore=/etc/java/keystore" options to JAVA_OPTS should point tomcat to the right keystore.

Re: Open LDAP with SSL/TLS and Alfresco 4.0.c

ashwini — Tue, 17 Jul 2012 15:22:06 GMT

Yes,Alfresco works perfectly without LDAP configuration.
And ya I have edited catalina.sh and specified keystore in JAVA_OPTS environment variable as below :

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/etc/java/keystore"‍

but nothing changed .. same exceptions .

Re: Open LDAP with SSL/TLS and Alfresco 4.0.c

ashwini — Thu, 19 Jul 2012 08:41:51 GMT

Alfresco runs on https (tomcat has been configured for SSL),When I disabled my https , then I was able connect to Open ldaps with the same configuration. But when I enable https again I gets exception as below :

SEVERE: Failed to load keystore type pkcs12 with path /etc/java/keystorePkcs12 due to DerInputStream.getLength(): lengthTag=109, too big.
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.‍‍

same exception I found when I tried to convert keystore manually from jks to pkcs12 type

I have generated keystore as below :

sudo keytool -import -alias domain -keystore /etc/java/keystore -file /home/alfadmin/Desktop/xyz.der‍

Checked type for generated keystore

keytool -list -keystore /etc/java/keystore‍

which showed me keystore type as jks.
keystore.type=jks set in java.security .

I have configured server.xml for https as below:

<Connector port="333" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"  
                keystoreType="pkcs12" keystoreFile="/etc/keystore/sss.p12"
   keystorePass= "htgkilnsg" /> 
‍‍‍‍‍‍

Here I noticed keystoreType="pkcs12".

Is this the reason why java tries to convert the keystore type from jks to pkcs12.
has anybody configured Open Ldap with ssl on alfresco running on https ?

Re: Open LDAP with SSL/TLS and Alfresco 4.0.c

ashwini — Wed, 01 Aug 2012 08:09:10 GMT

Finally I have figured out the problem.

After importing both certificates (one for tomcat SSL and another for ldaps ) together in single keystore file , problem is resolved.

Now ldap over SSL is integrated with alfresco ( tomcat with https ).