Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Core >> Core APIs

SSL AD

Hi All,

I just followed the threds in this forum which are usefull for ssl communication. I just stuck with this topic from 4 days.still no improvement at all.

I have created self-sign certificate using Microsoft makecert tool in my machine. At the same time, i created a certificate using http://myservername/certsrv. But nothing..

My Ad server is in singapor. I am in sydney. I know the Ad server's details like username password id address.

I can see , connect and modify entries in that server using softerr ldap admin3.0.

I just tried to enable SSL for my AD server using Softerra Ldap Administarator. But no progress. I am getting Server Down error.

when i run my java program..iam getting exception.

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");

env.put(Context.SECURITY_AUTHENTICATION,"simple");

env.put(Context.SECURITY_PRINCIPAL,adminName);

env.put(Context.SECURITY_CREDENTIALS,adminPassword);

env.put(Context.SECURITY_PROTOCOL,"ssl");

env.put(Context.PROVIDER_URL,"ldaps://192.22.22.41:636");

// java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

System.setProperty("javax.net.ssl.keyStore", "C:\\Program Files\\jre1.5.0_08\\lib\\security\\cacerts");

System.setProperty("javax.net.ssl.trustStore", "C:\\Program Files\\jre1.5.0_08\\lib\\security\\cacerts");

System.setProperty("javax.net.ssl.trustStoreType", "jks");

javax.naming.CommunicationException: 192.22.22.41:636[Root exception is java.net.SocketException: Default SSL context init failed: null]..

any help..

I am desperatley waiting for reply.

Thanks

[1710 byte] By [judygwina] at [2007-11-26 18:32:51]
«« PLEASE HELP ME
»» MD5 for String problem whit Java and C#
# 1

Perhaps SSL has not been enabled on your Active Directory domain controller ?

For example if you use the Windows ldp.exe tool and you can not connect using ssl over port 636, then it is quite likely that a certificate has not been installed on the domain controller, and ssl is not enabled.

Have a read of JNDI, Active Directory & Authentication (part 2) (SSL) at

http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50 for further information.

adler_stevena at 2007-7-9 6:06:56 > top of Java-index,Core,Core APIs...
# 2

Hi

I have one more doubt. can you please explain me a bit about certificates. I just installed certificates on domian controller.

can i install any certificates on client manchine as well or no need to install on client manchine?

what can i have on client side?

how can client communicate with server certificate?

Thanks

judygwina at 2007-7-9 6:06:56 > top of Java-index,Core,Core APIs...
# 3

Please read the following:

http://forum.java.sun.com/thread.jspa?threadID=581425&messageID=4459062

http://www.microsoft.com/technet/security/prodtech/windows2000/secwin2k/swin2kad.mspx

http://support.microsoft.com/default.aspx?scid=247078

And if you are not using a Microsoft Certificate Authority, documention describing how to use a third party certificate authority with Active Directory can be found at:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q295663

Put very simply, you need to enroll and install a PKI certificate on the domain controller. This certificate requires a speficic configuration (key usage, OID, which attributes contain the FQDN of the domain controller). I don't think that a self signed cert generated by makecert would satisfy these requirements .

And then you need to install the certificate containing the public key of the certificate authority onto your client, so that it can establish the PKI trust chain with the domain controller's certificate.

adler_stevena at 2007-7-9 6:06:56 > top of Java-index,Core,Core APIs...
# 4

Hi alder_steven,

many thnaks for your immediate reply.

Now i have downloaded a certificate from CA authority the i have certnew.cer.

I just import he cert using key tool util

keytool -import -keystore cacerts -file C:\certnew.cer -alias ldapcer

t -storepass changeit

My Code here:

String keystore = "C:\\Program Files\\Java\\jdk1.5.0_08\\jre\\lib\\security\\cacerts";

System.setProperty("javax.net.ssl.trustStore",keystore);

//System.setProperty("javax.net.ssl.trustStorePassword","changeit");

/*

// OPTION 2

String filename = System.getProperty("java.home")+ "/jre/lib/security/cacerts".replace('/', File.separatorChar);

String password = "changeit";

System.setProperty("javax.net.ssl.trustStore",filename);

System.setProperty("javax.net.ssl.trustStorePassword",password);

*/

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");

env.put(Context.SECURITY_AUTHENTICATION,"simple");

env.put(Context.SECURITY_PRINCIPAL,adminName);

env.put(Context.SECURITY_CREDENTIALS,adminPassword);

//specify use of ssl

env.put(Context.SECURITY_PROTOCOL,"ssl");

//connect to my domain controller

env.put(Context.PROVIDER_URL,ldapURL);

try {

// Create the initial directory context

DirContext ctx = new InitialLdapContext(env,null);

I am getting following exception. I have already look at this thread for this exception. I tried so many options. But still same error.

Problem searching directory: javax.naming.CommunicationException: simple bind failed: <ipaddress>:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]

javax.naming.CommunicationException: simple bind failed: 192.168.4.12:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]

at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)

at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)

at javax.naming.InitialContext.init(InitialContext.java:223)

at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)

at qaTest.TestSSLWithValidCertificate.main(TestSSLWithValidCertificate.java:74)

Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1485)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1468)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1394)

at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:64)

at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)

at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)

at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390)

at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)

at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)

... 11 more

Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:56)

at sun.security.validator.Validator.getInstance(Validator.java:146)

at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:105)

at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:167)

at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)

at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)

at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)

... 16 more

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183)

at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:103)

at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:87)

at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:54)

... 28 more

Thanks

judy

judygwina at 2007-7-9 6:06:56 > top of Java-index,Core,Core APIs...
Core
Core APIs

Core New Topic

Core Hot Topic

Core

All Classified