[midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Jason Everling jeverling at bshp.edu
Thu May 4 18:37:05 CEST 2017 

So it might be working now but it would not be wise to keep using it in that sense. I am assuming you did copy your midpoint encryption key to the cacerts file?

I would copy it from the java directory into your midpoint home directory and then re-add the line to tomcat with the file name because if you update java that file currently will get overwritten and you will lose your midpoint keys and you would be in bigger trouble not being able to decrypt any previous data.

Initially, you didn't need to manually create a keystore though, midpoint will create it at first startup along with all the other items in midpoint home directory.
________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Dilek Gider <dilek.gider at basistek.com>
Sent: Thursday, May 4, 2017 2:07:03 AM
To: midPoint General Discussion
Subject: Re: [midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Hi Jason,

As a feedback, I downloaded JCE and replace jars with sdk's jars. But it didn't work.
I tried most of things, at the end I deleted java.ssl.trustStore java options from tomcat properties.
I changed 636 port to 389, (389 was running from the beginning), tried that it is connecting, after that I changed port to 636 and "Connection Security" =ssl
Then suddenly tested to connection and it connected. Actually I don't know how it worked.

But now, our ssl enviorement is connected without below properties, I think it is used java cacerts now, i have imported certificate to sdk's cacerts.
-Djavax.net.ssl.trustStore=/var/opt/midpoint/keystore.jceks -Djavax.net.ssl.trustStoreType=jceks

Maybe from the beggiing, it must have used only sdk's cacerts, i dont now. I only followed https://wiki.evolveum.com/display/midPoint/Keystore+Configuration but didn't worked.

fyi..

Thank you for your support.


On Wed, Apr 26, 2017 at 3:04 PM, Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>> wrote:
I went back and looked at your logs earlier and yes, you can use standard java to connect to ldap over ssl because that is not the issue and it is not using your midpoint encryption keys to encrypt data. Within your error logs it is trying to encrypt the ldap connection password but cannot because of the illegal key size. So I am pretty sure you just need to install the JCE files. I found a page on the wiki for you, and yes, the max is 128 without JCE and from your error logs it is showing AES-192

https://wiki.evolveum.com/display/midPoint/Installing+midPoint+from+Binary+Distribution+v3.5.1#InstallingmidPointfromBinaryDistributionv3.5.1-JavaCryptographyExtension(JCE)UnlimitedStrengthJurisdictionPolicyFiles8




JASON

On Wed, Apr 26, 2017 at 6:52 AM, Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>> wrote:

Your key is 192 and without jce the max is 128, go to http://www.oracle.com/technetwork/java/javase/downloads/index.html and scroll down to additional resources and find the unlimited strength file and download it. There is a readme file in it, you just basically copy the files into your java jdk location

________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Dilek Gider <dilek.gider at basistek.com<mailto:dilek.gider at basistek.com>>
Sent: Wednesday, April 26, 2017 1:43:58 AM
To: midPoint General Discussion

Subject: Re: [midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Hi Jason ,

No I didnt install it and I dont know anything about this policy file.
I am able to connect via SSL from the same server with simple Java Code, is this possible if there must be installed policy file?

Should I install it?  I am researching that policy file.

On Tue, Apr 25, 2017 at 5:31 PM, Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>> wrote:
I didnt even think about this, did you install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 ? That could be the casue of your first error,  default key size. Original error: Illegal key size

JASON

On Tue, Apr 25, 2017 at 9:19 AM, Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>> wrote:
is this as actual domain controller? Are you sure that that isn't just the domain?
<gen493:host>tirsantest.local</gen493:host>

it should contain an actual dc host like
<gen493:host>dc1.tirsantest.local</gen493:host>



JASON

On Tue, Apr 25, 2017 at 2:14 AM, Dilek Gider <dilek.gider at basistek.com<mailto:dilek.gider at basistek.com>> wrote:
Hi Brad,

I didn't get certificate, our customer gave to me .cer file that contains certificate, AD belongs to customer.
But with that certificate, I can connect to AD 636 port with java code.

I imported that certificate to midpoint keystore, and also java sdk keystore.
I added java options to tomcat to trust to midpoint keystrore. (-Djavax.net.ssl.trustStore=.....)

On Tue, Apr 25, 2017 at 8:38 AM, Brad Fardig <brad.fardig at cogitogroup.com.au<mailto:brad.fardig at cogitogroup.com.au>> wrote:
Hi,

Just checking, did you add the domain controllers certificate to the key store?

https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743

Regards,

Brad



From: midPoint [mailto:midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>] On Behalf Of dilek.gider at basistek.com<mailto:dilek.gider at basistek.com>
Sent: Tuesday, 25 April 2017 3:03 PM
To: Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>>; midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Subject: Re: [midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Thank you for your reply, i created keystore manually with wiki evolveum Keysotore Configuration document. I dont know how if midpoint creates keystore by itself, automatically.

------ Original message------
From: Jason Everling
Date: Mon, Apr 24, 2017 18:41
To: midPoint General Discussion;
Cc:
Subject:Re: [midPoi nt] Fwd: AD configuration with LDAP Connector, ssl issue

>From what I can see, it is showing 'unsupported ciphersuite' along with other ssl/tls startup errors. Did you let midpoint create the keystore when it first started up or did you manually create it? The midpoint team should be able to help further but I have never encountered that error before with midpoint. Only ssl chain errors which is easily fixed and I dont see that in your logs.


JASON

On Mon, Apr 24, 2017 at 7:26 AM, Dilek Gider <dilek.gider at basistek.com<mailto:dilek.gider at basistek.com>> wrote:
Hi Again,

Is there anybody to help me please.. Details are below.

---------- Forwarded message ----------
From: Dilek Gider <dilek.gider at basistek.com<mailto:dilek.gider at basistek.com>>
Date: Thu, Apr 20, 2017 at 4:20 PM
Subject: AD configuration with LDAP Connector, ssl issue
To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>

Hi ,

I have resource to AD from midpoint, with LDAP Connector. You can find resource.xml as attchment. I couldn't connect this resource with LDAP via SSL. I followed

https://wiki.evolveum.com/display/midPoint/Keystore+Configuration<https://wiki.evolveum.com/displ%20ay/midPoint/Keystore+Configuration>

link, added Tomcat java options but it doens't work. Also I added logs about this resource, error logs.

I wrote java jar to connect AD via ssl and execute it from the same location with my java connector, it succeeded. But  in midpoint it could not communicate with AD via SSL. Without SSL, it is communicating with AD from LDAPConnector.

I have java 8_101, tomcat 8.5.
I have certificate as "cer" file, I imported to both java cacerts and midpoint keystore. and it is listed with my alias:
Keystore type: JCEKS
Keystore provider: SunJCE


Your keystore contains 3 entries

nlight, Mar 21, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): XXXXXXXXX
default, Nov 30, 2016, SecretKeyEntry,
tirsantest.local, Apr 19, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): XXXXXXXXXXXX

Could you help me? I am working on this problem for two weeks.


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/ listinfo/midpoint<http://lists.evolveum.com/mailman/listinfo/midpoint>



This email, and any attachment, is confidential and also privileged. If you have received it in error, please notify me immediately and delete it from your system along with any attachments. You should not copy or use it for any purpose, nor disclose its contents to any other person.

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint




_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint




_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170504/f46bb980/attachment.htm>

More information about the midPoint mailing list