SSL connection to LDAP using java??
Yansong Lei
I am writing a client program that tries to make an SSL connection to an
LDAP server in Java. How do I specify the the certificate database file used
by the client? Is there any corresponding method of JAVA to the
ldapssl_client_init(certfile,...) in C, where you can specify the
certificate database file. Does this have to be done in the LDAPConnection
level, or it has to be done in the SSLSocket (or the factory) level? A small
segment of code will be greatly appreciated.
Yansong Lei
Yanso...@qwest.com
Software Developer
Qwest Communication
Rob Weltman
> I have been struggling several days trying to figure out this problem:
>
> I am writing a client program that tries to make an SSL connection to an
> LDAP server in Java. How do I specify the the certificate database file used
> by the client? Is there any corresponding method of JAVA to the
> ldapssl_client_init(certfile,...) in C, where you can specify the
> certificate database file. Does this have to be done in the LDAPConnection
> level, or it has to be done in the SSLSocket (or the factory) level? A small
> segment of code will be greatly appreciated.
There is currently no support in Java (outside of Communicator) for reading a Netscape certificate database, which is why there is no support for client authentication as an application. You would need to write a class that implements LDAPSSLSocketFactoryExt (perhaps extending LDAPSSLSocketFactory); the class could take the name of a certificate database as a constructor parameter. But you would have to write the code for extracting certs from the database yourself.
An easier alternative might be to export the certs from the database (using Communicator or the command-line tools that come with Netscape server products) and access them as individual files.
Rob
Peter Koenig
> There is currently no support in Java (outside of Communicator) for reading a Netscape certificate database, which is why there is no support for client authentication as an application. You would need to write a class that implements LDAPSSLSocketFactoryExt (perhaps extending LDAPSSLSocketFactory); the class could take the name of a certificate database as a constructor parameter. But you would have to write the code for extracting certs from the database yourself.
>
> An easier alternative might be to export the certs from the database (using Communicator or the command-line tools that come with Netscape server products) and access them as individual files.
>
> Rob
I have a individual "cert.der"-file exported.
How could i get access to LDAP-Server with SSL ? (with command-line utilities from LDAP-SDK)
(I can not manage it.)
Thanks ....
Peter Koenig
Nortel-Dasa, Germany
Rob Weltman
You can't with the native Netscape command-line utilities, since they expect a certificate database of the type Communicator uses. You'll have to check with the Phaos documentation for SSLava to see how to access certificates with it (for server or client authentication). Once you've got that, it should be pretty easy to hook some code into an extension of LDAPSSLSocketFactory.
Rob
Peter Koenig
Is it possible to add the Novell-NLDAP-certificate "cert.der" to the Communicator certificate database to access the NLDAP-Server with SSL ??
You wrote, that it is "outside Communicator" no support for Java. How it is IN Communicator with Javascript and how it works ? Ideas ?
regards
Peter Koenig
Nortel-Dasa, Germany
Mark Wilcox
The Directory SDK docs include code on how to connect to SSL in Java in communicator.
Outside of the browser you'll need to do one of the following:
a) obtain a 3rd party Java SSL library from someone like PHAOS or RSA. I think there is a Java version of SSLeay as well.
b) perhaps easier is to use stunnell. Stunnell acts like an SSL proxy. It enables a non-SSL client to connect to an SSL server via SSL. http://mike.daewoo.com.pl/computer/stunnel/
Mark
Rob Weltman
> Hi there !
>
> Is it possible to add the Novell-NLDAP-certificate "cert.der" to the Communicator certificate database to access the NLDAP-Server with SSL ??
You should be able to click on the security icon at the bottom left of the status bar, select Certificate/Yours, and then "Import a Certificate...".
>
> You wrote, that it is "outside Communicator" no support for Java. How it is IN Communicator with Javascript and how it works ? Ideas ?
I've never tried it, but it should work the same way as in Java:
var ld = new LDAPConnection( new LDAPSSLSocketFactory() );
or
var ld = new LDAPConnection( new LDAPSSLSocketFactory( true ) );
(if you want to use client authentication)
Rob
Peter Koenig
Thanks for your hint, but importing the "cert.der"-file to Communicator ("Import a certificate") doesn't work.
Communicator expect a "PKCS12"-file. If i switch to "show all files" and click on the "cert.der"-file the following message appears:
"The certificates can't import. The selected file is corrupt or invalid/not suitable."
If i double-click on the "cert.der"-file for example in explorer (not the browser!), there appears a windows with certificate-informations.
There is a button to "Install certificate ..." and this works. The problem is, that this is windows-NT-based install and not Communicator.
Windows can use this file but Communicator not !
Hmmmmm ... heavy problem. :-)
Any other ideas ?
Peter Koenig
Nortel-Dasa, Germany
Rob Weltman schrieb:
> Peter Koenig wrote:
Peter Koenig
The problem with "importing certificates" is solved !
If someone has the same problem ... the solution is underneath ...
Okay, the "cert.der"file is imported and the searching with "addres book" with port 636 now works perfect !!! :-)
Now my problem with the SSL-Connection via Javascript. I used these lines ....
------------------------------------------------------
var SSLconnect=new netscape.ldap.LDAPSSLSocketFactory();
var ld = new netscape.ldap.LDAPConnection(SSLconnect);
SSLconnect.enableClientAuth();
var sock=SSLconnect.makeSocket(host,port);
----------------------------------------------------------
variables
host = IP of server
port = 636 (for SSL-connections)
Now this message appears:
--------------------------------
JavaScript Error: uncaught Java exception netscape/ldap/LDAPException ("Failed to create SSL socket")
--------------------------------------------------------------------------
Perhaps my syntax is wrong !?!?
Regards
Peter Koenig
Nortel-Dasa, Germany
---------------------------------------------------------------------------
SOLUTION:
In Windows 9x and Windows NT the problem is, that Windows has the registry-entry for exmaple ".der"-files.
That means, that windows can open these files, but Netscape can't.
I found a solution at "support.novell.com". You have to add this entry to the registry:
-------------------------------------------------------
REGEDIT4
[HKEY_CLASSES_ROOT\.der]
@="certificatefile"
"Content Type"="application/x-x509-ca-cert"
-------------------------------------------------------
If you add this to the registry, the Netscape Communicator is now able to open the certificate-file and import it.
Simple choose "File/Open" and choose the cert-file. Now the Import-window of the Netscape Communicator appears !!!
Rob Weltman
> Now my problem with the SSL-Connection via Javascript. I used these lines ....
> ------------------------------------------------------
> var SSLconnect=new netscape.ldap.LDAPSSLSocketFactory();
> var ld = new netscape.ldap.LDAPConnection(SSLconnect);
> SSLconnect.enableClientAuth();
> var sock=SSLconnect.makeSocket(host,port);
Should be:
// Ask the user for permission to establish a remote
// connection
netscape.security.PrivilegeManager.enablePrivilege(
"UniversalConnect");
var ld = new netscape.ldap.LDAPConnection(new netscape.ldap.LDAPSSLSocketFactory(true));
ld.connect( host, port );
If you are connecting to a host other than the web host, you have to ask for that privilege or you will get an exception in a browser, because you are trying to do something outside the sandbox.
Connect with the LDAPConnection (not the socket factory).
There is some info on using these classes at http://developer.netscape.com/docs/manuals/index.html?content=directory.html and http://developer.netscape.com/docs/manuals/dirsdk/jsdk40/Reference/index.html.
Rob
Peter Koenig
------------------------------------------
netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
var ld=new netscape.ldap.LDAPConnection (new netscape.ldap.LDAPSSLSocketFactory(true));
ld.connect(host, 636);
------------------------------------------
... but it doesn't work.
This error appears: "JavaScript Error: uncaught Java exception netscape/ldap/LDAPException ("unable to establish connection")"
What do you means with //Ask the user for permission to establish a remote connection ??
(There appears a window of Netscape security, whether i want to accept the connection or not. Do you mean this message ?)
In Chapter 12 of NS SDK for Java, there is this introduction:
------------------------------------------
To enable an applet to use certificate-based client authentication, do the following:
1.Construct a new LDAPSSLSocketFactory object.
2.Invoke the enableClientAuth method of the object to enable certificate-based client authentication.
3.Pass the object you constructed to the LDAPConnection constructor.
------------------------------------------
If i use these lines ...
------------------------------------------
netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
var SSLconnect=new netscape.ldap.LDAPSSLSocketFactory(true);
SSLconnect.enableClientAuth();
var ld = new netscape.ldap.LDAPConnection(SSLconnect);
ld.connect(host, 636);
-----------------------------------------
... the same error message appears: "JavaScript Error: uncaught Java exception netscape/ldap/LDAPException ("unable to establish connection")"
My certificate is correct ! If i import it to Netscape Communicator and use the "address book" to access to the LDAP-Server via SSL (Port 636) the connection is secure and the searching works perfect.
How does the connection works over netscape communicator "address book" ? Is there a "certificate-based client authentication" used ?
I have no more ideas to find out how this works. Do you have any examples in connecting over SSL ? :-)
Man thanks ... and nice weekend !
Peter Koenig
Nortel-Dasa, Germany
Rob Weltman schrieb:
> Should be:
Peter Koenig
Do i need to sign my Javscript-file to get access to LDAP-Server over SSL ?
Regards
Peter Koenig
Nortel-Dasa, Germany
Rob Weltman schrieb:
> Peter Koenig wrote:
>
> > Now my problem with the SSL-Connection via Javascript. I used these lines ....
> > ------------------------------------------------------
> > var SSLconnect=new netscape.ldap.LDAPSSLSocketFactory();
> > var ld = new netscape.ldap.LDAPConnection(SSLconnect);
> > SSLconnect.enableClientAuth();
> > var sock=SSLconnect.makeSocket(host,port);
Rob Weltman
> There is a tool from Netscape: "signtool 1.1" which could sign java/javscript-files !!
> Do i need to sign my Javscript-file to get access to LDAP-Server over SSL ?
You need to either sign the file, or disable security (temporarily, for your own browser while testing):
Exit completely from Communicator
Add this to prefs.js:
user_pref("signed.applets.codebase_principal_support", true);
Start Communicator again
There is a lot of info on signing JAR files and scripts at developer.netscape.com.
Rob
Peter Koenig
I added the "user_pref"-line but nothing works at all. :-(
You said, that i have to use these lines ...
---------------------------------------------------------------------------
netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
var ld=new netscape.ldap.LDAPConnection (new netscape.ldap.LDAPSSLSocketFactory(true));
ld.connect("131.147.40.21",636);
---------------------------------------------------------------------------
... error "Can't established connection!"
Something really crazy happens if i use these lines to connect ...
---------------------------------------------------------------------------
netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
var ld = new netscape.ldap.LDAPConnection();
ld.connect(2,"131.147.40.21",636);
---------------------------------------------------------------------------
Netscape crashes !!! No way to recover Netscape,i have to close the task !
If i use these lines to connect ...
---------------------------------------------------------------------------
netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
var SSLconnect=new netscape.ldap.LDAPSSLSocketFactory();
var ld = new netscape.ldap.LDAPConnection(SSLconnect);
SSLconnect.enableClientAuth();
alert(SSLconnect);
var sock=SSLconnect.makeSocket("131.147.40.21",636);
---------------------------------------------------------------------------
... error:"Failed to create SSL-Socket"
I have added the line "alert(SSLconenct);" to see inside the object.
This is the result: "netscape.ldap.LDAPSSLSocketFactory@80149b0"
Can you explain how this works ?
(I think, it can't work because of the complete classname .. perhaps only the number after
the "@" is really needed. Perhaps a problem with Java/Javscript ?)
Do you have any ideas in "listening the ports" to see what happens ?
The problem is, that i can't search for the difficulties, because i can't imagine where the
problem is ! Is there any possibility to get a protocol of netscape Communicator, what is
going on ? (Ports etc.)
Kind Regards
Rob Weltman
> Hi Rob !
>
> I added the "user_pref"-line but nothing works at all. :-(
>
> You said, that i have to use these lines ...
> ---------------------------------------------------------------------------
> netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
> var ld=new netscape.ldap.LDAPConnection (new netscape.ldap.LDAPSSLSocketFactory(true));
> ld.connect("131.147.40.21",636);
> ---------------------------------------------------------------------------
> ... error "Can't established connection!"
Let's step back a little. Can you do a non-SSL connection? I.e. does the following work?
netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
var ld=new netscape.ldap.LDAPConnection ();
ld.connect("131.147.40.21",389);
java.lang.System.out.println( "Connected" );
That works for me (with a different host, of course).
I don't have a server set up for SSL for the moment to try out the SSL variant.
>
>
> Something really crazy happens if i use these lines to connect ...
> ---------------------------------------------------------------------------
> netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
> var ld = new netscape.ldap.LDAPConnection();
> ld.connect(2,"131.147.40.21",636);
> ---------------------------------------------------------------------------
> Netscape crashes !!! No way to recover Netscape,i have to close the task !
It's trying to create a non-SSL connection to an SSL port. The two sides cannot talk to each other.
>
>
> If i use these lines to connect ...
> ---------------------------------------------------------------------------
> netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
> var SSLconnect=new netscape.ldap.LDAPSSLSocketFactory();
> var ld = new netscape.ldap.LDAPConnection(SSLconnect);
> SSLconnect.enableClientAuth();
> alert(SSLconnect);
> var sock=SSLconnect.makeSocket("131.147.40.21",636);
> ---------------------------------------------------------------------------
> ... error:"Failed to create SSL-Socket"
>
> I have added the line "alert(SSLconenct);" to see inside the object.
> This is the result: "netscape.ldap.LDAPSSLSocketFactory@80149b0"
> Can you explain how this works ?
> (I think, it can't work because of the complete classname .. perhaps only the number after
> the "@" is really needed. Perhaps a problem with Java/Javscript ?)
That's the default implementation of Object.toString(). It tells you the class name of the object and a unique identifier of the instance. Perfectly OK.
>
>
> Do you have any ideas in "listening the ports" to see what happens ?
> The problem is, that i can't search for the difficulties, because i can't imagine where the
> problem is ! Is there any possibility to get a protocol of netscape Communicator, what is
> going on ? (Ports etc.)
Just: take a look at the access and error logs of the Directory Server, to see if the client even attempted a bind.
Rob
Muwon Lum
to X.509.der format? I tried to use Netscape Communicator to export the
certificates, it only gave me the .p12 file. I tried to find it in
/usr/netscape/suitespot/, did not find one.
Please give me some helps.
Thanks,
Muwon
Rob Weltman wrote:
> Yansong Lei wrote:
>
> > I have been struggling several days trying to figure out this problem:
> >
> > I am writing a client program that tries to make an SSL connection to an
> > LDAP server in Java. How do I specify the the certificate database file used
> > by the client? Is there any corresponding method of JAVA to the
> > ldapssl_client_init(certfile,...) in C, where you can specify the
> > certificate database file. Does this have to be done in the LDAPConnection
> > level, or it has to be done in the SSLSocket (or the factory) level? A small
> > segment of code will be greatly appreciated.
>
> There is currently no support in Java (outside of Communicator) for reading a Netscape certificate database, which is why there is no support for client authentication as an application. You would need to write a class that implements LDAPSSLSocketFactoryExt (perhaps extending LDAPSSLSocketFactory); the class could take the name of a certificate database as a constructor parameter. But you would have to write the code for extracting certs from the database yourself.
>
> An easier alternative might be to export the certs from the database (using Communicator or the command-line tools that come with Netscape server products) and access them as individual files.
>
> Rob
>
> >
> >