Discussion:
LDAP over SSL
(too old to reply)
Vlaad
2012-04-23 12:08:19 UTC
Permalink
I have added Active Directory SSL certificate to TDI root, after that
I am able to browse Data, via LDAP browser,
but when I try to debug my scripts in TDI debugger when LDAP/SSL
connector is initialized, I got classic PKIX error about certificate
chain http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
certicate is added to keystore file located under my <solution
directory>, serverapi/testadmin.jks

question is, should I import only root CA certificate, or also Leaf
certificate.
Should I import it into one keystore or several (if yes, then to
which).

Should certificate also be added on OS level???

please assist if you know.

23:58:58,076 INFO - [AD_LDAPConnector] CTGDIS495I handleException ,
initialize, javax.naming.CommunicationException: simple bind failed:
XX.XX.XX.XX:636 [Root exception is
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
cause is:
java.security.cert.CertPathValidatorException: The certificate issued
by CN=XXX-ROOT-CA, DC=XXX, DC=lv is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining
error]
bbunner
2012-04-23 12:31:47 UTC
Permalink
Post by Vlaad
I have added Active Directory SSL certificate to TDI root, after that
I am able to browse Data, via LDAP browser,
but when I try to debug my scripts in TDI debugger when LDAP/SSL
connector is initialized, I got classic PKIX error about certificate
chain http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
certicate is added to keystore file located under my <solution
directory>, serverapi/testadmin.jks
question is, should I import only root CA certificate, or also Leaf
certificate.
Should I import it into one keystore or several (if yes, then to
which).
Should certificate also be added on OS level???
please assist if you know.
23:58:58,076 INFO - [AD_LDAPConnector] CTGDIS495I handleException ,
XX.XX.XX.XX:636 [Root exception is
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
java.security.cert.CertPathValidatorException: The certificate issued
java.security.cert.CertPathValidatorException: Certificate chaining
error]
Vlaad,
The following worked for me:
Import the root and sub ca and ldap server certs into your trust store (although in theory the ldap server cert should not be required), additionally, from what I can tell, if the ldap server supports client auth, tdi will attempt that too , so you will need to be sure that the ldap server has the certs required to trust the tdi server. If client auth appears to be happening you need to make sure that the tdi cert is configured to be a client cert <optionally as a server cert too if you have the need>. I learned these things the hard way. If you do these things and are not getting the expected results, then check the properties files to make sure they reflect what you expect.
Good Luck!
bbunner
2012-04-23 12:40:40 UTC
Permalink
Post by bbunner
Post by Vlaad
I have added Active Directory SSL certificate to TDI root, after that
I am able to browse Data, via LDAP browser,
but when I try to debug my scripts in TDI debugger when LDAP/SSL
connector is initialized, I got classic PKIX error about certificate
chain http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
certicate is added to keystore file located under my <solution
directory>, serverapi/testadmin.jks
question is, should I import only root CA certificate, or also Leaf
certificate.
Should I import it into one keystore or several (if yes, then to
which).
Should certificate also be added on OS level???
please assist if you know.
23:58:58,076 INFO - [AD_LDAPConnector] CTGDIS495I handleException ,
XX.XX.XX.XX:636 [Root exception is
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
java.security.cert.CertPathValidatorException: The certificate issued
java.security.cert.CertPathValidatorException: Certificate chaining
error]
Vlaad,
Import the root and sub ca and ldap server certs into your trust store (although in theory the ldap server cert should not be required), additionally, from what I can tell, if the ldap server supports client auth, tdi will attempt that too , so you will need to be sure that the ldap server has the certs required to trust the tdi server. If client auth appears to be happening you need to make sure that the tdi cert is configured to be a client cert <optionally as a server cert too if you have the need>. I learned these things the hard way. If you do these things and are not getting the expected results, then check the properties files to make sure they reflect what you expect.
Good Luck!
btw the tdi server cert should be in the keystore identified by property javax.net.ssl.keystore, all of the certs you beed to build trust should be in the keystore indicated by javax.net.ssl.truststore, be careful if you are using the default keystores, there are several instances of these, the location you need is dependent on how you run the al.
Vlaad
2012-04-23 13:09:07 UTC
Permalink
Hi, Brian, thanks for advice,
the most strange thing is that I did this before on test server, works
like a clock.
on customer server there is issue.

on the very begining, when SSL cert was not installed data browsing
was not working as well, which is logical, now after cert was
installed into trusted store, Data Browser works, but when solution is
debugged, SSL Chain error still appears.


I wish there is a feature in TDI - temporary trust any SSL, like in
IBM Sametime(trust any IP)

if user is created in AD via LDAP, this need to be done over encrypted
LDAP(SSL).

vlaad
bbunner
2012-04-23 14:55:14 UTC
Permalink
Post by Vlaad
Hi, Brian, thanks for advice,
the most strange thing is that I did this before on test server, works
like a clock.
on customer server there is issue.
on the very begining, when SSL cert was not installed data browsing
was not working as well, which is logical, now after cert was
installed into trusted store, Data Browser works, but when solution is
debugged, SSL Chain error still appears.
I wish there is a feature in TDI - temporary trust any SSL, like in
IBM Sametime(trust any IP)
if user is created in AD via LDAP, this need to be done over encrypted
LDAP(SSL).
vlaad
Maybe you could try using an absolute path to the keystore where you added the trust certs, just to be sure it is pointing at the certs yo expect.
THe other thing is to ensure that the root cert's SubjectKeyIdentifier (SKI)value matches the sub ca cert Authority Key Identifier (AKI), and that the sub ca cert SKI matches the ldap server cert AKI. I believe this is how applications perform chaining. If your TDI instance is attepmting to do cert auth, then you will have to make sire that all of the SKI -> AKI mappings match up for the ldap server trust stores to the TDI server as well.
bbunner
2012-04-23 14:44:21 UTC
Permalink
Post by Vlaad
I have added Active Directory SSL certificate to TDI root, after that
I am able to browse Data, via LDAP browser,
but when I try to debug my scripts in TDI debugger when LDAP/SSL
connector is initialized, I got classic PKIX error about certificate
chain http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
certicate is added to keystore file located under my <solution
directory>, serverapi/testadmin.jks
question is, should I import only root CA certificate, or also Leaf
certificate.
Should I import it into one keystore or several (if yes, then to
which).
Should certificate also be added on OS level???
please assist if you know.
23:58:58,076 INFO - [AD_LDAPConnector] CTGDIS495I handleException ,
XX.XX.XX.XX:636 [Root exception is
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
java.security.cert.CertPathValidatorException: The certificate issued
java.security.cert.CertPathValidatorException: Certificate chaining
error]
I have added Active Directory SSL certificate to TDI root, after that
I am able to browse Data, via LDAP browser,
but when I try to debug my scripts in TDI debugger when LDAP/SSL
connector is initialized, I got classic PKIX error about certificate
chain http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
certicate is added to keystore file located under my <solution
directory>, serverapi/testadmin.jks
question is, should I import only root CA certificate, or also Leaf
certificate.
Should I import it into one keystore or several (if yes, then to
which).
Should certificate also be added on OS level???
please assist if you know.
23:58:58,076 INFO - [AD_LDAPConnector] CTGDIS495I handleException ,
XX.XX.XX.XX:636 [Root exception is
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
java.security.cert.CertPathValidatorException: The certificate issued
java.security.cert.CertPathValidatorException: Certificate chaining
error]
I have added Active Directory SSL certificate to TDI root, after that
I am able to browse Data, via LDAP browser,
but when I try to debug my scripts in TDI debugger when LDAP/SSL
connector is initialized, I got classic PKIX error about certificate
chain http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
certicate is added to keystore file located under my <solution
directory>, serverapi/testadmin.jks
question is, should I import only root CA certificate, or also Leaf
certificate.
Should I import it into one keystore or several (if yes, then to
which).
Should certificate also be added on OS level???
please assist if you know.
23:58:58,076 INFO - [AD_LDAPConnector] CTGDIS495I handleException ,
XX.XX.XX.XX:636 [Root exception is
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
java.security.cert.CertPathValidatorException: The certificate issued
java.security.cert.CertPathValidatorException: Certificate chaining
error]
I have added Active Directory SSL certificate to TDI root, after that
I am able to browse Data, via LDAP browser,
but when I try to debug my scripts in TDI debugger when LDAP/SSL
connector is initialized, I got classic PKIX error about certificate
chain http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
certicate is added to keystore file located under my <solution
directory>, serverapi/testadmin.jks
question is, should I import only root CA certificate, or also Leaf
certificate.
Should I import it into one keystore or several (if yes, then to
which).
Should certificate also be added on OS level???
please assist if you know.
23:58:58,076 INFO - [AD_LDAPConnector] CTGDIS495I handleException ,
XX.XX.XX.XX:636 [Root exception is
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
java.security.cert.CertPathValidatorException: The certificate issued
java.security.cert.CertPathValidatorException: Certificate chaining
error]
I have added Active Directory SSL certificate to TDI root, after that
I am able to browse Data, via LDAP browser,
but when I try to debug my scripts in TDI debugger when LDAP/SSL
connector is initialized, I got classic PKIX error about certificate
chain http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
certicate is added to keystore file located under my <solution
directory>, serverapi/testadmin.jks
question is, should I import only root CA certificate, or also Leaf
certificate.
Should I import it into one keystore or several (if yes, then to
which).
Should certificate also be added on OS level???
please assist if you know.
23:58:58,076 INFO - [AD_LDAPConnector] CTGDIS495I handleException ,
XX.XX.XX.XX:636 [Root exception is
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
java.security.cert.CertPathValidatorException: The certificate issued
java.security.cert.CertPathValidatorException: Certificate chaining
error]
Have you tried using an absolute path in your solution properties pointing to the keystore that contains your trust certs?
Also you should ensure that the SubjectKeyIdentifier (SKI)value from the root cert matches the AuthorityKeyIdentifier (AKI) value for the sub ca cert. And if you have included the ldap server cert in your trust store ensure that the SKI in the sub CA Cert matches the AKI in the ldap server cert. I believe that this is how proper cert chaining is performed.
Post by Vlaad
I have added Active Directory SSL certificate to TDI root, after that
I am able to browse Data, via LDAP browser,
but when I try to debug my scripts in TDI debugger when LDAP/SSL
connector is initialized, I got classic PKIX error about certificate
chain http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
certicate is added to keystore file located under my <solution
directory>, serverapi/testadmin.jks
question is, should I import only root CA certificate, or also Leaf
certificate.
Should I import it into one keystore or several (if yes, then to
which).
Should certificate also be added on OS level???
please assist if you know.
23:58:58,076 INFO - [AD_LDAPConnector] CTGDIS495I handleException ,
XX.XX.XX.XX:636 [Root exception is
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
java.security.cert.CertPathValidatorException: The certificate issued
java.security.cert.CertPathValidatorException: Certificate chaining
error]
Vlaad
2012-04-23 17:16:41 UTC
Permalink
Hi, tried absolute path.
no progress.
installed both root and leaf certificate. so far no luck...
Vlaad
2012-04-23 17:12:40 UTC
Permalink
Hi, just tried full path, same error.
imported both ROOT and LEAD certificate, still same error.
Vlaad
2012-04-25 07:25:02 UTC
Permalink
we reinstalled TDI on another machine, and now it works like a clock.
This could be related to some Windows issues, since in my case TDI was
running on Windows2008R2 server.

make a clean virtual machine, created test AL to read LDAP and print
them in console, and works fine over LDAP (SSL).

Thanks to Eddie and Brian for help.

Loading...