[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: help -- Regarding the jks certificate error



> Hi,
>
> // Either explicitly tell your tools to trust the CA for the cert via config or the
> command line â How do I tell my tools (which tools?) to trust the CA for the
> cert in config or the cmd line?
>
> I have put all the certs in my openldaps client ldap.conf file. All the jks certs
> are created by kaytool command.
> None of the below work :
>
> #TLS_CACERT /etc/openldap/cacerts/123keystore.jks    // server is started
> using jks certificates for secure connections.. this is not working TLS_CACERT
> /etc/openldap/cacerts/789server.cer // This didnât work # TLS_CACERT
> /etc/openldap/cacerts/789server.pem // I converted the cer to pem file..
> But even this didnât work TLS_CACERTDIR /etc/openldap/cacerts
>
> // Perhaps even (I'm mostly guessing) adding the CA to your systems trusted
> CA certs Start by getting your CA's cert. â how to add CA to my clients trusted
> CA certs?

CJ: That's on a per OS basis. It's rarely made easy. But after more reading, unlikely to help you.

> In openldap cmd ldapsearch, there is no option to specify the cert path. It
> picks the cert files/dir from the /etc/openldap/ldap.conf

CJ: I was mistaken. I thought there was.

> Jks(java key store) certs(created by the server) work with openldap clients
> by just copying the certs to client machine and adding the path in ldap.conf
> file ? Or do we need pem certs only?

CJ: We use base64 encoded certs. I tried looking into what type of cert was acceptable to openldap, but failed to find it.
The cert should look similar to:
-----BEGIN CERTIFICATE-----
MIIF3jCCBMagAwIBAgIKf/7gwAAAAAAJ5zANBgkqhkiG9w0BAQUFADBVMRMwEQYK
 [plenty of lines similar]
Vtm/MSZk5cBjnM84+MK3sVdE
-----END CERTIFICATE-----

> I am a newbie..Pls guide me..Thanks.

CJ: I'm not that much better I'm afraid.
Some things to consider:
Make sure you're putting the CA's cert for openldap to ref, and not the actual cert being used.

If you find yourself still stuck, try reading:
http://www.openldap.org/faq/data/cache/185.html
and make sure you understand CAs, certs signed by that CA, etc.

We've some JKS certs we have to monitor in our environment, and we use the following to export java/JKS certs to x509 Base64 encoded PEM format:
keytool -exportcert -keystore [store-with-CA-cert] -alias [alias-name-of-CA-cert] -storepass [password] -rfc

Use that cert with your ldap toolset.

> Regards,
> Sridhar Sontha
>
>
>
> From: Chris Jacobs [mailto:Chris.Jacobs@apollogrp.edu]
> Sent: Friday, April 12, 2013 9:39 PM
> To: Sontha, Sridhar; 'openldap-technical@openldap.org'; 'openldap-
> technical-request@openldap.org'
> Subject: Re: help -- Regarding the jks certificate error
>
> Your cert is self signed and not trusted by your client.
>
> Either explicitly tell your tools to trust the CA for the cert via config or the
> command line. Perhaps even (I'm mostly guessing) adding the CA to your
> systems trusted CA certs.
>
> Start by getting your CA's cert, and reading the ldapsearch man page.
>
> - chris
>
> ________________________________________
> From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-
> bounces@OpenLDAP.org>
> To: openldap-technical@openldap.org <openldap-
> technical@openldap.org>; openldap-technical-request@openldap.org
> <openldap-technical-request@openldap.org>
> Sent: Fri Apr 12 20:24:03 2013
> Subject: help -- Regarding the jks certificate error Hi There,
>      I am using an ldap server created using unbounded ldap API (Java). And
> the server is started to support both ldap and ldaps.  Sever uses java
> keystore (.jks) certificates namely 123keystore.jks and 456truststore.jks and
> some 789server.cer (all these files are protected by some passoword). The
> server is listening at port # 1636 for all ldaps connections.
> I am able to connect to the server using (ldaps) some java ldap clients and
> able to bind and search successfully. But when I try to connect to the server
> using openldap client, it is NOT working, getting SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed error.
>
> I get the below error when I try to do the search using ldaps://<ip>:1636
>
> ldapsearch   -w 'xxxxxx1234' -H ldaps://xx.xx.xx.xxx:1636 -b
> "o=person,o=hp"  -D "id=xxxx89,o=person,o=hp"
>
> [bea@devcg4sdmbl01 ldapsearch   -w 'xxxxxx1234' -H
> ldaps://xx.xx.xx.xxx:1636 -b "o=person,o=hp"  -D
> "id=xxxx89,o=person,o=hp"
> ldap_create
> ldap_url_parse_ext(ldaps://x.x.x.x:1636)
> ldap_pvt_sasl_getmech
> ldap_search
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP xx.x.xx.xx:1636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.0.59.164:1636
> ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace:
> SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3
> write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS
> certificate verification: depth: 0, err: 18, subject:
> /C=xxx/ST=x/L=xxx/O=xxxx/OU=xxx/CN=xxx,
> issuer: /C=xxx/ST=xxx/L=xxxx/O=xxxxx/OU=xxx/CN=xxxxx
> TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert
> write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server
> certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Here is my ldap.conf : located at /etc/openldap/ldap.conf
>
> URI ldaps://x.x.x.x:1636/
> BASE o=person,o=hp
> HOST <IP>
> PORT 1636
> #TLS_CACERT /etc/openldap/cacerts/123keystore.jks    // server is started
> using jks certificates for secure connections.. this is not working TLS_CACERT
> /etc/openldap/cacerts/789server.cer // This didnât work # TLS_CACERT
> /etc/openldap/cacerts/789server.pem // I converted the cer to pem file..
> But even this didnât work TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT require
>
> What is the correct configuration to make this work? Can I use the jks
> certificates in openldap client to connect to server which is using jks for
> ldaps connections? What is missing here? Pls help fix this issue.
> Same openldap client works fine for non-secure and simple authentication
> ldap connections.  The problem is only when I try to use ldaps from the
> client.
>
> Thanks in advance. Let me know if you need more info.
>
>
> Regards,
> Sridhar Sontha
>
>
>
>
> ________________________________________
> This message is private and confidential. If you have received it in error,
> please notify the sender and remove it from your system.
>


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.