[midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Dilek Gider dilek.gider at basistek.com
Thu May 4 09:07:03 CEST 2017 

Hi Jason,

As a feedback, I downloaded JCE and replace jars with sdk's jars. But it
didn't work.
I tried most of things, at the end I deleted java.ssl.trustStore java
options from tomcat properties.
I changed 636 port to 389, (389 was running from the beginning), tried that
it is connecting, after that I changed port to 636 and "Connection
Security" =ssl
Then suddenly tested to connection and it connected. Actually I don't know
how it worked.

But now, our ssl enviorement is connected without below properties, I think
it is used java cacerts now, i have imported certificate to sdk's cacerts.
-Djavax.net.ssl.trustStore=/var/opt/midpoint/keystore.jceks
-Djavax.net.ssl.trustStoreType=jceks

Maybe from the beggiing, it must have used only sdk's cacerts, i dont now.
I only followed
https://wiki.evolveum.com/display/midPoint/Keystore+Configuration but
didn't worked.

fyi..

Thank you for your support.


On Wed, Apr 26, 2017 at 3:04 PM, Jason Everling <jeverling at bshp.edu> wrote:

> I went back and looked at your logs earlier and yes, you can use standard
> java to connect to ldap over ssl because that is not the issue and it is
> not using your midpoint encryption keys to encrypt data. Within your error
> logs it is trying to encrypt the ldap connection password but cannot
> because of the illegal key size. So I am pretty sure you just need to
> install the JCE files. I found a page on the wiki for you, and yes, the max
> is 128 without JCE and from your error logs it is showing AES-192
>
> https://wiki.evolveum.com/display/midPoint/Installing+
> midPoint+from+Binary+Distribution+v3.5.1#InstallingmidPointfromBinaryDi
> stributionv3.5.1-JavaCryptographyExtension(JCE)
> UnlimitedStrengthJurisdictionPolicyFiles8
>
>
>
>
> JASON
>
> On Wed, Apr 26, 2017 at 6:52 AM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> Your key is 192 and without jce the max is 128, go to
>> http://www.oracle.com/technetwork/java/javase/downloads/index.html and
>> scroll down to additional resources and find the unlimited strength file
>> and download it. There is a readme file in it, you just basically copy the
>> files into your java jdk location
>> ------------------------------
>> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
>> Dilek Gider <dilek.gider at basistek.com>
>> *Sent:* Wednesday, April 26, 2017 1:43:58 AM
>> *To:* midPoint General Discussion
>>
>> *Subject:* Re: [midPoint] Fwd: AD configuration with LDAP Connector, ssl
>> issue
>>
>> Hi Jason ,
>>
>> No I didnt install it and I dont know anything about this policy file.
>> I am able to connect via SSL from the same server with simple Java Code,
>> is this possible if there must be installed policy file?
>>
>> Should I install it?  I am researching that policy file.
>>
>> On Tue, Apr 25, 2017 at 5:31 PM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> I didnt even think about this, did you install the Java Cryptography
>>> Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 ? That could
>>> be the casue of your first error,  default key size. Original error:
>>> Illegal key size
>>>
>>> JASON
>>>
>>> On Tue, Apr 25, 2017 at 9:19 AM, Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>>> is this as actual domain controller? Are you sure that that isn't just
>>>> the domain?
>>>> <gen493:host>tirsantest.local</gen493:host>
>>>>
>>>> it should contain an actual dc host like
>>>> <gen493:host>dc1.tirsantest.local</gen493:host>
>>>>
>>>>
>>>>
>>>> JASON
>>>>
>>>> On Tue, Apr 25, 2017 at 2:14 AM, Dilek Gider <dilek.gider at basistek.com>
>>>> wrote:
>>>>
>>>>> Hi Brad,
>>>>>
>>>>> I didn't get certificate, our customer gave to me .cer file that
>>>>> contains certificate, AD belongs to customer.
>>>>> But with that certificate, I can connect to AD 636 port with java code.
>>>>>
>>>>> I imported that certificate to midpoint keystore, and also java sdk
>>>>> keystore.
>>>>> I added java options to tomcat to trust to midpoint keystrore. (
>>>>> -Djavax.net.ssl.trustStore=.....)
>>>>>
>>>>> On Tue, Apr 25, 2017 at 8:38 AM, Brad Fardig <
>>>>> brad.fardig at cogitogroup.com.au> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Just checking, did you add the domain controllers certificate to the
>>>>>> key store?
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Brad
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
>>>>>> Behalf Of *dilek.gider at basistek.com
>>>>>> *Sent:* Tuesday, 25 April 2017 3:03 PM
>>>>>> *To:* Jason Everling <jeverling at bshp.edu>; midPoint General
>>>>>> Discussion <midpoint at lists.evolveum.com>
>>>>>> *Subject:* Re: [midPoint] Fwd: AD configuration with LDAP Connector,
>>>>>> ssl issue
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thank you for your reply, i created keystore manually with wiki
>>>>>> evolveum Keysotore Configuration document. I dont know how if midpoint
>>>>>> creates keystore by itself, automatically.
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------ Original message------
>>>>>>
>>>>>> *From: *Jason Everling
>>>>>>
>>>>>> *Date: *Mon, Apr 24, 2017 18:41
>>>>>>
>>>>>> *To: *midPoint General Discussion;
>>>>>>
>>>>>> *Cc: *
>>>>>>
>>>>>> *Subject:*Re: [midPoi nt] Fwd: AD configuration with LDAP Connector,
>>>>>> ssl issue
>>>>>>
>>>>>>
>>>>>>
>>>>>> From what I can see, it is showing 'unsupported ciphersuite' along
>>>>>> with other ssl/tls startup errors. Did you let midpoint create the keystore
>>>>>> when it first started up or did you manually create it? The midpoint team
>>>>>> should be able to help further but I have never encountered that error
>>>>>> before with midpoint. Only ssl chain errors which is easily fixed and I
>>>>>> dont see that in your logs.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> JASON
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Apr 24, 2017 at 7:26 AM, Dilek Gider <
>>>>>> dilek.gider at basistek.com> wrote:
>>>>>>
>>>>>> Hi Again,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Is there anybody to help me please.. Details are below.
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: *Dilek Gider* <dilek.gider at basistek.com>
>>>>>> Date: Thu, Apr 20, 2017 at 4:20 PM
>>>>>> Subject: AD configuration with LDAP Connector, ssl issue
>>>>>> To: midPoint General Discussion <midpoint at lists.evolveum.com>
>>>>>>
>>>>>> Hi ,
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have resource to AD from midpoint, with LDAP Connector. You can
>>>>>> find resource.xml as attchment. I couldn't connect this resource with LDAP
>>>>>> via SSL. I followed
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://wiki.evolveum.com/display/midPoint/Keystore+Configuration
>>>>>> <https://wiki.evolveum.com/displ%20ay/midPoint/Keystore+Configuration>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> link, added Tomcat java options but it doens't work. Also I added
>>>>>> logs about this resource, error logs.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I wrote java jar to connect AD via ssl and execute it from the same
>>>>>> location with my java connector, it succeeded. But  in midpoint it could
>>>>>> not communicate with AD via SSL. Without SSL, it is communicating with AD
>>>>>> from LDAPConnector.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have java 8_101, tomcat 8.5.
>>>>>>
>>>>>> I have certificate as "cer" file, I imported to both java cacerts and
>>>>>> midpoint keystore. and it is listed with my alias:
>>>>>>
>>>>>> Keystore type: JCEKS
>>>>>>
>>>>>> Keystore provider: SunJCE
>>>>>>
>>>>>>
>>>>>>
>>>>>> Your keystore contains 3 entries
>>>>>>
>>>>>>
>>>>>>
>>>>>> nlight, Mar 21, 2017, trustedCertEntry,
>>>>>>
>>>>>> Certificate fingerprint (SHA1): XXXXXXXXX
>>>>>>
>>>>>> default, Nov 30, 2016, SecretKeyEntry,
>>>>>>
>>>>>> tirsantest.local, Apr 19, 2017, trustedCertEntry,
>>>>>>
>>>>>> Certificate fingerprint (SHA1): XXXXXXXXXXXX
>>>>>>
>>>>>>
>>>>>>
>>>>>> Could you help me? I am working on this problem for two weeks.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/ listinfo/midpoint
>>>>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *This email, and any attachment, is confidential and also privileged.
>>>>>> If you have received it in error, please notify me immediately and delete
>>>>>> it from your system along with any attachments. You should not copy or use
>>>>>> it for any purpose, nor disclose its contents to any other person. *
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170504/7e8efa5a/attachment.htm>

More information about the midPoint mailing list