LDAP now requires certificate

[Keith Hulsey]

I have been using LDAP for authentication, but the domain controller was updated to 2012 and now requires a cert for LDAP. The IT department provided me with the certification in a pfx file. How would I include this in my configuration? I tried using the LDAP Test Utility. The output is pasted below. I was also told that the security authentication may need to be changed from simple since LDAP now requires the certificate.

Thanks,

Keith

Exception:

javax.naming.CommunicationException: simple bind failed: swmsdc05.swmed.org:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)

at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)

at javax.naming.InitialContext.init(InitialContext.java:244)

at javax.naming.InitialContext.<init>(InitialContext.java:216)

at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)

at org.rsna.ldap.LDAPUtil.connect(LDAPUtil.java:60)

at org.rsna.ldap.LDAPTest$MainPanel.actionPerformed(LDAPTest.java:128)

at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)

at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)

at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)

at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)

at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)

at java.awt.Component.processMouseEvent(Component.java:6539)

at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)

at java.awt.Component.processEvent(Component.java:6304)

at java.awt.Container.processEvent(Container.java:2239)

at java.awt.Component.dispatchEventImpl(Component.java:4889)

at java.awt.Container.dispatchEventImpl(Container.java:2297)

at java.awt.Component.dispatchEvent(Component.java:4711)

at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4904)

at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4535)

at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4476)

at java.awt.Container.dispatchEventImpl(Container.java:2283)

at java.awt.Window.dispatchEventImpl(Window.java:2746)

at java.awt.Component.dispatchEvent(Component.java:4711)

at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760)

at java.awt.EventQueue.access$500(EventQueue.java:97)

at java.awt.EventQueue$3.run(EventQueue.java:709)

at java.awt.EventQueue$3.run(EventQueue.java:703)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:84)

at java.awt.EventQueue$4.run(EventQueue.java:733)

at java.awt.EventQueue$4.run(EventQueue.java:731)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74)

at java.awt.EventQueue.dispatchEvent(EventQueue.java:730)

at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)

at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)

at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)

at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)

at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)

at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:1010)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1079)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1388)

at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:765)

at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)

at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)

at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)

at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:441)

at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:414)

at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)

at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)

... 49 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)

at sun.security.validator.Validator.validate(Validator.java:262)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1670)

... 62 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445)

... 68 more

[John Perry]

Keith:

 

Although I wrote the LDAP code in CTP, I don't know anything about LDAP. Other people tested it for me, so I'm hoping someone who knows more will provide guidance.

 

In the meantime, the first thing I would try is importing the certificates from your PFX file into the default Java keystore, which is found in <jre>/lib/security/cacerts. If you haven't changed the password for the cacerts file, it is changeit.

 

You can list the contents of the cacerts file using the keytool program, which is included in the Java release. (You can also list it with the CTP/KeystoreManager.jar program, which has a File>Open cacerts command. KeystoreManager shouldn't be used for anything other than listing the keys in keystores because I never got around to finishing the other features.)

 

My knowledge of PFX files is minimal, but from what I can find, a PFX file is a keystore that contains certificates. If that is correct, you'll have to export the certificates it contains, and then import them into cacerts.

 

I found this Veritas page (https://www.veritas.com/support/en_US/article.100037482) that describes how to create a new JKS keystore from a PFX file using keytool.

 

Once you do that, you can use keytool again to export the certificates from the JKS keystore and import them into cacerts. (There must be a better way.)

 

Once the certificates are in cacerts, try LDAPTest to see if it works with your LDAP server.

 

If it does, we're still not out of the woods because CTP specifies its own keystore (CTP/keystore). That file contains one self-signed certificate (with the alias ctp). I don't know if Java will roll over to cacerts if it can't find a certificate in the specified keystore. If not, you'll have to import the JKS certificates into CTP/keystore.

 

(KeystoreManager knows the CTP keystore password (ctpstore), and when it starts, it automatically lists the keystore.)

 

JP

[Keith Hulsey]

Hi John,

I was able to import the certificate into the cacerts following your instructions. However, LDAPTest still gives the same errors.

Keith

[mark.l...@chp.edu]

Hello Keith,

I hate to dredge up an old thread like this, but we're attempting to provide the CTP server at an enterprise level within the health care system where I work, and I KNOW they're going to want some form of authentication to permit this - you seem to have gotten LDAP working in the past, and I was hoping to pick your brain about how you got it to work (IF you got it to work, that is).  I've been trying to use the LDAPTest as well, but depending on whether I'm testing LDAP or LDAPS, I get various errors when attempting to validate the settings.  Just wanted to see if you could provide any advice on this matter.

Thanks in advance for your consideration!

- Mark