Issue with LDAP Cert, can't log in to fix it

[Max DiOrio]

Hi,

We are having a problem with our LDAPS Certificate so nobody can authenticate.  I tried changing the configIsEditable to true in PwmConfiguration.xml file and restarting Tomcat, but I still can't get in with the pwm user.  It still tries to auth via LDAP.

Directory unavailable. If this error occurs repeatedly please contact your help desk. { 5017 ERROR_DIRECTORY_UNAVAILABLE (all ldap profiles are unreachable; errors: ["error connecting as proxy user: unable to create connection: unable to connect to any configured ldap url, last error: unable to bind to ldaps://10.85.128.5:636 as CN=SVC_LDAP_RW,OU=General,OU=Service,OU=Accounts,DC=internal,DC=ieeeglobalspec,DC=com reason: CommunicationException (10.85.128.5:636; java.security.cert.CertificateException: server certificate {subject=} does not match a certificate in the configuration trust store.)"]) }

Any ideas?

Thanks!

Max

[Jason Rivard]

If configIsEditable is true you don't need to login to get to /pwm/config.

[Max DiOrio]

On RedHat, my PwmConfiguration.xml file is in /var/pwm-data/PwmConfiguration.xml

Is there another location that I'm not seeing.  None of the documentation says it should be here, but the file isn't in the location specified in any documentation either.

I have definitely set it to true, and even rebooted the server.  Still not accessible.  I get ERR_CONNECTION_RESET

Thanks.

[Max DiOrio]

So after I realized that I can't access that page via the reverse proxy, I directly access it via http://172.23.5.9:8080/pwm/config and get:

PWM 5084

This functionality is not available until the application configuration is restricted. { 5084 ERROR_APPLICATION_NOT_RUNNING }

[Max DiOrio]

And I'm an idiot.  I got it!  Sorry about that.

[Mark]

I have changed configIsEditable to false and when I go to the /config url I see a page with a link called "configuration manager" what flashes real fast and gets forwarded to the login page. It happens so fast that I can never click on the link. Any ideas please?

Is there any other way to import the LDAP certificate?

[Mark]

On Wednesday, June 6, 2018 at 4:14:23 PM UTC-7, Mark wrote:
> I have changed configIsEditable to false and when I go to the /config url I see a page with a link called "configuration manager" what flashes real fast and gets forwarded to the login page. It happens so fast that I can never click on the link. Any ideas please?
>
> Is there any other way to import the LDAP certificate?

To be more accurate it says "Loading Configuration Manager" and then forwards to the login page.

[Alberto Viana]

Hi Mark,

Once you're using LDAPs protocol, you need to import your certificate into tomcat's keystore database (the certificate used to integrate your tomcat to your LDAP server). Here I'm using tomcat 8, so basically what I did was:

1.

Edit /etc/tomcat8/server.xml 

Add this config to it:

<Connector

           protocol="org.apache.coyote.http11.Http11Nio2Protocol"

           port="8443" maxThreads="200"

           scheme="https" secure="true" SSLEnabled="true"

           keystoreFile="/etc/ssl/certs/java/cacerts" keystorePass="changeit"

           clientAuth="false" ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"

           SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"

/>

Important things about that:

- There is a lot of different ways to do that, here I used nginx to listen in port 80 and 443 and redirect any connection to port 8443 (internally)

- Comment out any other protocols that is using port 8443

- Here I used http11.Http11Nio2Protocol, but again, there's a lot different ways to do that, check this doc (if you're using tomcat 8):

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

- /etc/ssl/certs/java/cacerts is the default path for java keystore database in ubuntu.

2.

Add your certificate (and private key) and CA root into keystore:

a. So copy your certificate and CA root certificate to your pwm machine

b. Generate a p12 file:

~# openssl pkcs12 -export -in pwm_machine.crt -inkey machine_pwm.key -out pwm.p12  -name perfil-ssl -CAfile CA_ROOT.crt -caname CA-ROOT -name pwm-p12

important things:

- It will ask you a password for this p12 file, REMEMBER IT

- This command will generate a pwm.p12 file that you will use to import in the next step

- REMEMBER the "name" used in the -name parameter, you will need it in the next step

c. Import the p12 file into your keystore database: 

keytool -importkeystore -deststorepass your_java_keystorestore_password -destkeypass your_java_keystorestore_password -destkeystore  /etc/ssl/certs/java/cacerts -srckeystore your_file_pwm.p12 -srcstoretype PKCS12 -srcstorepass your_p12_file_password -alias the_name_used_for_export_p12_file

Important things:

- The -alias parameter MUST match the same name that you used in -name parameter used  to export the p12 file

- You can check the friendly name using the command:

openssl pkcs12 -in pwm.p12 -info

Hope that helps you.

Cheers,

Alberto Viana

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/48454ab9-b3be-464c-9fb6-e6284de26a0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mark]

Hi Alberto,

Thank you for your response. What you are describing is installing a certificate for accessing the URL of PWM. That part is working fine on my system.

LDAP connection uses a different certificate which is issued by the domain controller. That certificate was installed through the PWM Configuration Manager. What happened was that the certificate expired a few days ago and now no one can be authenticated including me (the admin). In order to import the new certificate into PWM, I need to access the Configuration Manager. As I described previously, I do not get the Configuration Manager portal when I change configIsEditable to false. "Loading Configuration Manager" flashes for a quick moment then goes into the logon page.

I was hoping there was another way of importing the LDAP certificate for authenticating users into PWM.
Thanks,
Mark

[sha...@belldex.com]

Max, I changed the configIsEditable to true. I am getting this exact message "pwm 5084" no matter if I use http://<IP_Address>/pwm/config or the url. Is there anything else you did that you got it working?

[Mark]

It's all sorted out. In my case it was the path which should be: /pwm/private/config/manager .