Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
LDAP + SSL
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2012 10:15 PM
Hello,
I'm trying to configure Alfresco's (4.0b) authentication against an openldap service.
This openldap listens on port 636 with SSL.
So, I've configured the ldap-authentication.properties by adding:
I've added the ldap SSL certificate in keystore file:
I typed "changeit".
Then I've modified /opt/alfresco-4.0.b/tomcat/scripts/ctl.sh:
On ldap server site, we got this error:
So, I assume that my Alfresco is able to contact the ldap server but gets an error when it tries to open a TLS connexion.
What I'm wrong please ?
Thank you in advance for your help.
I'm trying to configure Alfresco's (4.0b) authentication against an openldap service.
This openldap listens on port 636 with SSL.
So, I've configured the ldap-authentication.properties by adding:
ldap.authentication.java.naming.provider.url=ldaps://ldap_server:636
I've added the ldap SSL certificate in keystore file:
/opt/alfresco-4.0.b/java/bin/keytool -import -alias ldap_server -keystore /etc/java/keystore -file certificate.crtI typed "changeit".
Then I've modified /opt/alfresco-4.0.b/tomcat/scripts/ctl.sh:
export JAVA_OPTS="-XX:MaxPermSize=512m -Xms128m -Xmx768m -Dalfresco.home=/opt/alfresco-4.0.b -Dcom.sun.management.jmxremote -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djavax.net.ssl.trustStore=/etc/java/keystore"
On ldap server site, we got this error:
closed (TLS negotiation failure)So, I assume that my Alfresco is able to contact the ldap server but gets an error when it tries to open a TLS connexion.
What I'm wrong please ?
Thank you in advance for your help.
Labels:
- Labels:
-
Archive
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2012 09:06 PM
Hi all,
Do you think that anything is missing in the command line:
How I can debug my error please ? On Alfresco server side ?
Many thanks for your help.
Do you think that anything is missing in the command line:
$ ps -ef|grep java
root 3934 1 2 Feb19 ? 00:57:12 /opt/alfresco-4.0.b/java/bin/java -Djava.util.logging.config.file=/opt/alfresco-4.0.b/tomcat/conf/logging.properties -XX:MaxPermSize=512m -Xms128m -Xmx768m -Dalfresco.home=/opt/alfresco-4.0.b -Dcom.sun.management.jmxremote -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djavax.net.ssl.trustStore=/etc/java/keystore -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.sun.management.jmxremote.port=6789 -Dcom.sun.management.jmxremote.host=127.0.0.1 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.access.file=/opt/alfresco-4.0.b/tomcat/conf/jmxremote.access -Dcom.sun.management.jmxremote.password.file=/opt/alfresco-4.0.b/tomcat/conf/jmxremote.passwd -Djava.endorsed.dirs=/opt/alfresco-4.0.b/tomcat/endorsed -classpath /opt/alfresco-4.0.b/tomcat/bin/bootstrap.jar -Dcatalina.base=/opt/alfresco-4.0.b/tomcat -Dcatalina.home=/opt/alfresco-4.0.b/tomcat -Djava.io.tmpdir=/opt/alfresco-4.0.b/tomcat/temp org.apache.catalina.startup.Bootstrap start
How I can debug my error please ? On Alfresco server side ?
Many thanks for your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2012 10:50 PM
Hi All,
To update my issue, I found a java class to debug my issue.(http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services#ConnectingtoSSLservices-Debu...)
Then I try without mention the keystore:
Then I execute this command with my keystore:
Maybe Alfresco Java doesn't care about the keystore file /etc/java/keystore… but I've added -Djavax.net.ssl.trustStore option in /opt/alfresco-4.0.b/tomcat/scripts/ctl.sh script and ps gives:
No idea ?
To update my issue, I found a java class to debug my issue.(http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services#ConnectingtoSSLservices-Debu...)
Then I try without mention the keystore:
[user@client]$ java SSLPoke ldap_service.domain.com 636
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:73)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
… 15 more
[user@client]$
Then I execute this command with my keystore:
[user@client]$ java -Djavax.net.ssl.trustStore=/etc/java/keystore SSLPoke ldap_service.domain.com 636
Successfully connected
[user@client]$
Maybe Alfresco Java doesn't care about the keystore file /etc/java/keystore… but I've added -Djavax.net.ssl.trustStore option in /opt/alfresco-4.0.b/tomcat/scripts/ctl.sh script and ps gives:
root 24814 1 9 11:18 pts/0 00:02:50 /opt/alfresco-4.0.b/java/bin/java -Djava.util.logging.config.file=/opt/alfresco-4.0.b/tomcat/conf/logging.properties -XX:MaxPermSize=512m -Xms128m -Xmx768m -Dalfresco.home=/opt/alfresco-4.0.b -Dcom.sun.management.jmxremote -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djavax.net.ssl.trustStore=/etc/java/keystore -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.sun.management.jmxremote.port=6789 -Dcom.sun.management.jmxremote.host=127.0.0.1 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.access.file=/opt/alfresco-4.0.b/tomcat/conf/jmxremote.access -Dcom.sun.management.jmxremote.password.file=/opt/alfresco-4.0.b/tomcat/conf/jmxremote.passwd -Djava.endorsed.dirs=/opt/alfresco-4.0.b/tomcat/endorsed -classpath /opt/alfresco-4.0.b/tomcat/bin/bootstrap.jar -Dcatalina.base=/opt/alfresco-4.0.b/tomcat -Dcatalina.home=/opt/alfresco-4.0.b/tomcat -Djava.io.tmpdir=/opt/alfresco-4.0.b/tomcat/temp org.apache.catalina.startup.Bootstrap start
No idea ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2012 11:35 PM
Okay all, I figured out.
Stupid guy am I.
In ldap-authentication.properties file, I've just changed
Sorry for bothering you but the error on ldap server is not very helpful (closed (TLS negotiation failure)).
Stupid guy am I.
In ldap-authentication.properties file, I've just changed
ldap.authentication.java.naming.security.authentication=digest-md5
ldap.authentication.java.naming.security.authentication=simple
Sorry for bothering you but the error on ldap server is not very helpful (closed (TLS negotiation failure)).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2012 11:30 AM
Hello ,
Could you please share your configuration details with me. I am trying it but getting exception in log file as below :
Thank you so much !!!
Ashwini
Could you please share your configuration details with me. I am trying it but getting exception in log file as below :
16 Jul, 2012 4:54:58 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Failed to load keystore type pkcs12 with path /etc/java/keystore due to DerInputStream.getLength(): lengthTag=109, too big.
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
at sun.security.util.DerValue.init(DerValue.java:347)
at sun.security.util.DerValue.<init>(DerValue.java:303)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1200)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:350)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:320)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:513)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:419)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1014)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
16 Jul, 2012 4:54:58 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
at sun.security.util.DerValue.init(DerValue.java:347)
at sun.security.util.DerValue.<init>(DerValue.java:303)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1200)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:350)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:320)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:513)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:419)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1014)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
16 Jul, 2012 4:54:58 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
16 Jul, 2012 4:54:58 PM org.apache.catalina.startup.Catalina loadThank you so much !!!
Ashwini
Related Content
- ldapS configuration for samba-ad in Alfresco Forum
- ldap configuration in alfresco 7.2 in docker in Alfresco Forum
- Authentication and synchronisation of Alfresco 23 with Active Directory in Alfresco Forum
- Mapeamento dos campos do cadastro de usuário entre Keycloak e alfresco in Alfresco Archive
- Different time Syncronization Ldap in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
