[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using "keytool" to create security certificates for OpenLDAP



Forgot to mention for (2) that the exception occurs when I do the
bind() operation. The connect() call goes through fine.


On Sat, 26 Mar 2005 14:29:20 -0800, Safdar Kureishy
<safdar.kureishy@gmail.com> wrote:
> Thanks Jon. This helps. I do have a few more questions that are
> related to OpenLDAP:
> 
> 1) I'm on a Windows machine, and in the OpenLDAP installation
> directory ("c:\Program Files\OpenLDAP"), I actually see several "SSL"
> related files. Could you tell me which is which, and which I should
> add to the truststore on the client?
> - serverkey.pem
> - server.pem
> - CA.pem
> - cakey.pem
> - ca.srl
> 
> 2) I actually tried adding "server.pem" to my client's truststore
> using keytool, and it seems that it got added (it gets listed with the
> -list option), but when I do the following with JLDAP to conenct to
> the OpenLDAP server, I get an LDAPException with a root message:
> "sun.security.validator.ValidatorException: No trusted certificate
> found".
>            ...
>            ...
>         if (this.useSSL) {
>             System.setProperty("javax.net.ssl.truststore",
> "C:\\client\\truststore.jks");
>             LDAPSocketFactory sslSocketFactory = new
> LDAPJSSESecureSocketFactory();
>             LDAPConnection.setSocketFactory(sslSocketFactory);
>         }
>         this.masterConnection = new LDAPConnection();
> 
>         try {
>             this.masterConnection.connect(host, port);
>             this.masterConnection.bind(LDAPConnection.LDAP_V3,
> this.loginDN, passwd);
>         } catch (LDAPException e) {
>             throw new InitializationException(e); // This is what I
> get every time
>         }
> 
> How do I solve this problem? Any ideas?
> 
> Thanks in advance :)
> 
> Safdar
> 
> 
> On Fri, 25 Mar 2005 09:54:45 -0600, Jon Roberts <jon@jonanddeb.net> wrote:
> > Safdar Kureishy wrote:
> > > - Enable SSL on OpenLDAP (and all the certs/keys etc.)
> > > [I've got this done via the installer itself and it works using the
> > > ldapbrowser/editor tool that I downloaded online]
> >
> > So I'll assume this is all okay, although you may also want to check
> > with an OpenLDAP client like ldapsearch.
> >
> > > - Create a truststore on the JLDAP (client) side and add the OpenLDAP
> > > server certificate to that truststore. I'm also hoping that this task
> > > can be automated with Ant or as part of an installer given the
> > > location of the certiciate file that is to be trusted.
> > > [I'm at a loss as to what tool to use to generate the client-side
> > > truststore and add the server-side certificate to it. Basically I'm
> > > looking for a some instructions.]
> >
> > Creating and installing a client side store is really a Java question,
> > but here's the easiest thing to do. Your client JRE should have a
> > default keystore where it checks for CA certs. Assuming you are using a
> > *nix environment and your JAVA_HOME is '/usr/java', the command for
> > adding your own CA cert would be something like:
> >
> > /usr/java/bin/keytool -import -alias localca -keystore
> > /usr/java/jre/lib/security/cacerts -trustcacerts -file
> > /path/to/your/localcacert.pem
> >
> > You'll be prompted for a keystore password, which by default is
> > 'changeit' (hint, hint) for the cacerts keystore.
> >
> > Again, keystores are a Java topic which can be explained better on a
> > Java forum. The keytool man page is also useful.
> >
> > Hope this helps.
> >
> > Jon Roberts
> > www.mentata.com
> >
>