Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Trying to use SSL with Netscape LDAP SDK 3.0 for java

195 views
Skip to first unread message

Dinyar Sarkari

unread,
Jul 17, 1998, 3:00:00 AM7/17/98
to
I want to connect to the Netscape Directory Server from a java
application using the Netscape LDAP SDK 3.0 for java from a
java application. According to the online documentation the
LDAPSSLSocketFactory and the LDAPSSLSocketWrapFactory
classes rely on a separate class that implements SSL sockets.
The online doc doesn't provide any details about these class
or any sample code.

Can someone tell me where I can find these class libraries
or how I can use the netscape.net.SSLSocket class from my
application ?

Also how can I export a CA certificate from the netscape browser
database to a file, so that I can use it from some other
application ?

Mark Wilcox

unread,
Jul 20, 1998, 3:00:00 AM7/20/98
to
Hi,
See Chapter 12 in the SDK documentation.
According to the docs you will need the netscape.net.SSLSocket class if
you don't implement your own.
This class is in the java40.jar file included in Netscape 4.05 (and 4.5
PR1) but not before. You will need to include java40.jar in your
classpath for your application.

I don't know how to export a certificate from the db. You might check
the SSLeay mailing list.

I haven't tried SSL yet, let us know how it works out.

Mark

Dinyar Sarkari wrote:

--
--------------------------------------------
Mark Wilcox
mewi...@unt.edu
Web Administrator
University of North Texas
(940)565-2568
http://www.unt.edu/
"The only difference between a common computer user and a guru is
in the number of people who know when you make a mistake." MEW

Dinyar Sarkari

unread,
Jul 21, 1998, 3:00:00 AM7/21/98
to
Hi Mark,

Thanks for your reply.

I should have mentioned in my earlier message that I had tried
to use the default class, ie. netscape.net.SSLSocket class.

It returns the following error:
"DSA is unavailable, unable to establish connection"

Although the directory server log shows that a connection
was made to the ssl port and then closed with errno=5.

Running java in verbose mode indicates the following:
[Loaded netscape/net/SSLSocket.class from jar\java40.jar]
[Loaded java/net/Socket.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/lang/reflect/Constructor.class from
c:\jdk1.1.6\lib\classes.zip]
[Loaded java/net/InetAddress.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/net/UnknownHostException.class from
c:\jdk1.1.6\lib\classes.zip]
[Loaded java/lang/Void.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/lang/Byte.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/lang/Short.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/lang/Long.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/net/InetAddressImpl.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/net/PlainSocketImpl.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/net/SocketImpl.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/net/SocketOptions.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded netscape/net/SSLSocketImpl.class from jar\java40.jar]
[Loaded java/lang/SecurityManager.class from c:\jdk1.1.6\lib\classes.zip]
[Loaded java/lang/NoSuchMethodError.class from c:\jdk1.1.6\lib\classes.zip]

[Loaded java/lang/IncompatibleClassChangeError.class from
c:\jdk1.1.6\lib\classes.zip]
[Loaded java/lang/reflect/InvocationTargetException.class from
c:\jdk1.1.6\lib\classes.zip]

Any ideas what method it's looking for in the SecurityManager.

I am also not sure how netscape.net.SSLSocket gets access to the trusted
CA certificate from the netscape certificate database. I've put the
cert7.db in the current directory.

Thanks again
Dinyar

Mark Wilcox

unread,
Jul 21, 1998, 3:00:00 AM7/21/98
to
I'll bet that the SSL classes either extend or implement some of the
SecurityManager classes or interfaces. I'm not that familiar with the Security
API, so I can' t really answer.

I'll try and look into this some more.

I looked up error code 5. It says LDAP Compare False.
Are you trying to do client authentication? Or just establish a SSL connection.

Mark

Dinyar Sarkari

unread,
Jul 22, 1998, 3:00:00 AM7/22/98
to
In this case I'm just trying to establish an SSL connection without
client authentication to get some search results. Based on that I'll
reconnect using client authentication. But the initial connection is
failing.

As far as I can see in the java docs, if the SecurityManager
has already been established, which is normally the case, you
cannot replace it with your own subclassed SecurityManager.

I think that netscape.net.SSLSocket class will probably work
in Communicator only, because it may be trying to call a
SecurityManager method defined in Communicators JVM only.

I have compared the public class in the SecurityManager in
jdk 1.1.6 classes.zip and java40.jar.

java40.jar seems to have the following additional methods:
----------
public boolean checkMatchPrincipalAlways(int);
public static boolean checkScopePermission(int);
public static boolean checksMatchPrincipalAlways(int);
public static boolean isPrivilegeEnabled(java.lang.String);
public static void enablePrivilege(java.lang.String);
public static void resetScopePermission();
public static void revertPrivilege();
public static void setScopePermission();
public static void setSecurityManager();
public void checkAccess(java.lang.Thread, java.lang.Throwable);
public void checkCreateSecurityManagerAccess();
public void checkResourceAccess(java.lang.String);
public void checkURLConnect(java.net.URL);
public void checkURLConnect(java.net.URL, java.net.URL);
----------

Also I think that the error codes in the server log are errno the
C runtime errors in /usr/include/sys/errno.h.

Dinyar

Mark Wilcox

unread,
Jul 22, 1998, 3:00:00 AM7/22/98
to
I'll try and check this out with Netscape, but I think you are right.

Mark

Dinyar Sarkari wrote:

--

Jack Pan-Chen

unread,
Aug 20, 1998, 3:00:00 AM8/20/98
to Dinyar Sarkari
Dinyar Sarkari wrote:

> Hi Mark,
>
> Thanks for your reply.
>
> I should have mentioned in my earlier message that I had tried
> to use the default class, ie. netscape.net.SSLSocket class.
>
> It returns the following error:
> "DSA is unavailable, unable to establish connection"
>
> Although the directory server log shows that a connection
> was made to the ssl port and then closed with errno=5.
>

Are you running SSL in the standalone application? If you want to do SSL with
the netscape.net.SSLSocket, you have to do it in the applet inside the
communicator. This is stated in the documentation. The communicator provides
a way in transparent to the user to retrieve the cert from the database. If
you really want to run it as a standalone app, you have to use other third
party software like SSLeay or SSLava etc. The Java SDK currently doesnt
provide a way to retrieve certificate from the communicator database or other
database. You need to find a way to manage the certificate if you want to use
client auth.

Christine

Christine Ho

unread,
Aug 20, 1998, 3:00:00 AM8/20/98
to Dinyar Sarkari
Dinyar Sarkari wrote:

> Hi Mark,
>
> Thanks for your reply.
>
> I should have mentioned in my earlier message that I had tried
> to use the default class, ie. netscape.net.SSLSocket class.
>
> It returns the following error:
> "DSA is unavailable, unable to establish connection"
>
> Although the directory server log shows that a connection
> was made to the ssl port and then closed with errno=5.
>

Are you running SSL in the standalone application? If you want to do SSL with

thenetscape.net.SSLSocket, you have to do it in the applet inside the
communicator.This is stated in the

Rob Weltman

unread,
Aug 20, 1998, 3:00:00 AM8/20/98
to
Yes, you are right. netscape.net.SSLSocket (which is the default parameter to the LDAPSSLSocketFactory constructor) works only if you are running in Communicator's VM. Client authentication works well there, too.

We have used SSLava from Phaos. Their older version was JDK 1.02 compatible, so it didn't extend Socket and required using our LDAPSSLSocketWrapFactory class. Their current version is JDK 1.1 compatible, and can be used with LDAPSSLSocketFactory.

Doing client authentication is harder. It is supported by SSLava, but you'll have to figure out how to provide your certificate to it. You can export certificates from Communicator, but that's just the first step.

The following is some code to use SSLava for server authentication. It uses dynamic invocation, so the code can be compiled and also run in an environment where SSLava is not available. The code for other SSL packages compatible with javax.net.ssl should be similar.

Rob

/**
* Create an unconnected LDAPConnection object, with or without an
* SSL factory
*
* @param useSSL If true, use an SSL socket factory
* @return An LDAPConnection
*/
public static LDAPConnection makeLDAPConnection( boolean useSSL ) {
LDAPConnection ldc = null;
if ( useSSL ) {
Object cipherSuite = getCipherSuite();
if ( cipherSuite == null ) {
System.err.println( "DSUtil.makeLDAPConnection: " +
"cannot get cipher suite to " +
"establish secure connection" );
return null;
}
LDAPSSLSocketFactory sfactory =
new LDAPSSLSocketFactory( SSL_PACKAGE, cipherSuite );
ldc = new LDAPConnection( sfactory );
} else {
ldc = new LDAPConnection();
}
return ldc;
}


private static Object getCipherSuite() {
if ( _cipherSuite == null ) {
try {
Class c = Class.forName( SSL_CIPHERS );
Method m = c.getMethod( "getCipherSuite", new Class[0] );
_cipherSuite = m.invoke( null, null );
} catch (Exception e) {
System.err.println("DSUtil.getCipherSuite: Cannot load class, " +
e );
}
}
return _cipherSuite;
}


private static Object _cipherSuite = null;
private static final String SSL_PACKAGE = "crysec.SSL.SSLSocket";
private static final String SSL_CIPHERS = "crysec.SSL.SSLParams";

0 new messages