Previous Topic

Book Contents

Book Index

Next Topic
LDAP SSL Authentication

Describes environment configuration (JAVA + Valuemation) to be possible to use secure SSL protocol in LDAP communication.

If SSL communication is not used, all information are sent as plain text via network, including password during authentication.

SSL must be allowed on target JNDI server - contact your administrator if you are not sure. LDAPS by default uses port 636 instead of 389 reserved for standard LDAP.

How to configure the environment

  1. Set or create main parameter "securityProtocol"

    path = "de.usu.s3.authentication.JNDIManager"
    param = "securityProtocol"
    value = "ssl"

  2. Update main parameter "provider"

    path = "de.usu.s3.authentication.JNDIManager"
    param = "provider"
    example old value = "ldap://win2000as-test"
    example new value = "ldap://win2000as-test:636"

  3. Install on client machine/web server certificate

    Install on client machine (where Valuemation is installed) root certificate of LDAP server. As example I am using Microsoft Active Directory server, where domain controller certificate with extension "crt" is located in root directory (e.g. c:\ or c:\win...). In our test environment it is domain controller certificate of win2000as-test server.

    JAVA usually stores certificates in "cacerts" file located in "java.home" in subdirectory "\lib\security".

    Here is an example how the certificate could be installed into JAVA:

    JAVA.HOME/bin/keytool.exe -import -alias win2000as -file "win2000as-test.bm.usutest.cz_USUtest.crt" -keystore JAVA.HOME/lib/security/cacerts

    It is necessary to import the certificate into Java keystore file and then this keystore file must be known to JAVA running VM (option -Djavax.net.ssl.trustStore ).

Note: by default "cacerts" file is protected with the password "changeit"

4. Inform JVM where certificates are stored

Be sure, that JAVA has access and uses correct "cacerts" file. To be sure, you could start Valuemation with optional environment property -Djavax.net.ssl.trustStore=JAVA.HOME\lib\security\cacerts

Troubleshooting

Exception 1

javax.naming.CommunicationException: simple bind failed: win2000as-test:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]

SSL communication is not available for target JNDI server.

Exception 2

javax.naming.CommunicationException: win2000as-test:636 [Root exception is java.net.ConnectException: Connection refused: connect]

Communication over port 636 is not available for target JNDI server.

Exception 3

javax.naming.CommunicationException: simple bind failed: win2000as-test:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found]

You don't have installed correct certificate or "cacerts" file is not correctly located.

See Also

LDAP Configuration