[midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Wed Apr 26 08:43:58 CEST 2017

Hi Jason ,

No I didnt install it and I dont know anything about this policy file.
I am able to connect via SSL from the same server with simple Java Code, is
this possible if there must be installed policy file?

Should I install it?  I am researching that policy file.

On Tue, Apr 25, 2017 at 5:31 PM, Jason Everling <jeverling at bshp.edu> wrote:

> I didnt even think about this, did you install the Java Cryptography
> Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 ? That could
> be the casue of your first error,  default key size. Original error:
> Illegal key size
>
> JASON
>
> On Tue, Apr 25, 2017 at 9:19 AM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> is this as actual domain controller? Are you sure that that isn't just
>> the domain?
>> <gen493:host>tirsantest.local</gen493:host>
>>
>> it should contain an actual dc host like
>> <gen493:host>dc1.tirsantest.local</gen493:host>
>>
>>
>>
>> JASON
>>
>> On Tue, Apr 25, 2017 at 2:14 AM, Dilek Gider <dilek.gider at basistek.com>
>> wrote:
>>
>>> Hi Brad,
>>>
>>> I didn't get certificate, our customer gave to me .cer file that
>>> contains certificate, AD belongs to customer.
>>> But with that certificate, I can connect to AD 636 port with java code.
>>>
>>> I imported that certificate to midpoint keystore, and also java sdk
>>> keystore.
>>> I added java options to tomcat to trust to midpoint keystrore. (
>>> -Djavax.net.ssl.trustStore=.....)
>>>
>>> On Tue, Apr 25, 2017 at 8:38 AM, Brad Fardig <
>>> brad.fardig at cogitogroup.com.au> wrote:
>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> Just checking, did you add the domain controllers certificate to the
>>>> key store?
>>>>
>>>>
>>>>
>>>> https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>>
>>>> Brad
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
>>>> Behalf Of *dilek.gider at basistek.com
>>>> *Sent:* Tuesday, 25 April 2017 3:03 PM
>>>> *To:* Jason Everling <jeverling at bshp.edu>; midPoint General Discussion
>>>> <midpoint at lists.evolveum.com>
>>>> *Subject:* Re: [midPoint] Fwd: AD configuration with LDAP Connector,
>>>> ssl issue
>>>>
>>>>
>>>>
>>>> Thank you for your reply, i created keystore manually with wiki
>>>> evolveum Keysotore Configuration document. I dont know how if midpoint
>>>> creates keystore by itself, automatically.
>>>>
>>>>
>>>>
>>>> ------ Original message------
>>>>
>>>> *From: *Jason Everling
>>>>
>>>> *Date: *Mon, Apr 24, 2017 18:41
>>>>
>>>> *To: *midPoint General Discussion;
>>>>
>>>> *Cc: *
>>>>
>>>> *Subject:*Re: [midPoi nt] Fwd: AD configuration with LDAP Connector,
>>>> ssl issue
>>>>
>>>>
>>>>
>>>> From what I can see, it is showing 'unsupported ciphersuite' along with
>>>> other ssl/tls startup errors. Did you let midpoint create the keystore when
>>>> it first started up or did you manually create it? The midpoint team should
>>>> be able to help further but I have never encountered that error before with
>>>> midpoint. Only ssl chain errors which is easily fixed and I dont see that
>>>> in your logs.
>>>>
>>>>
>>>>
>>>>
>>>> JASON
>>>>
>>>>
>>>>
>>>> On Mon, Apr 24, 2017 at 7:26 AM, Dilek Gider <dilek.gider at basistek.com>
>>>> wrote:
>>>>
>>>> Hi Again,
>>>>
>>>>
>>>>
>>>> Is there anybody to help me please.. Details are below.
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: *Dilek Gider* <dilek.gider at basistek.com>
>>>> Date: Thu, Apr 20, 2017 at 4:20 PM
>>>> Subject: AD configuration with LDAP Connector, ssl issue
>>>> To: midPoint General Discussion <midpoint at lists.evolveum.com>
>>>>
>>>> Hi ,
>>>>
>>>>
>>>>
>>>> I have resource to AD from midpoint, with LDAP Connector. You can find
>>>> resource.xml as attchment. I couldn't connect this resource with LDAP via
>>>> SSL. I followed
>>>>
>>>>
>>>>
>>>> https://wiki.evolveum.com/display/midPoint/Keystore+Configuration
>>>> <https://wiki.evolveum.com/displ%20ay/midPoint/Keystore+Configuration>
>>>>
>>>>
>>>>
>>>> link, added Tomcat java options but it doens't work. Also I added logs
>>>> about this resource, error logs.
>>>>
>>>>
>>>>
>>>> I wrote java jar to connect AD via ssl and execute it from the same
>>>> location with my java connector, it succeeded. But  in midpoint it could
>>>> not communicate with AD via SSL. Without SSL, it is communicating with AD
>>>> from LDAPConnector.
>>>>
>>>>
>>>>
>>>> I have java 8_101, tomcat 8.5.
>>>>
>>>> I have certificate as "cer" file, I imported to both java cacerts and
>>>> midpoint keystore. and it is listed with my alias:
>>>>
>>>> Keystore type: JCEKS
>>>>
>>>> Keystore provider: SunJCE
>>>>
>>>>
>>>>
>>>> Your keystore contains 3 entries
>>>>
>>>>
>>>>
>>>> nlight, Mar 21, 2017, trustedCertEntry,
>>>>
>>>> Certificate fingerprint (SHA1): XXXXXXXXX
>>>>
>>>> default, Nov 30, 2016, SecretKeyEntry,
>>>>
>>>> tirsantest.local, Apr 19, 2017, trustedCertEntry,
>>>>
>>>> Certificate fingerprint (SHA1): XXXXXXXXXXXX
>>>>
>>>>
>>>>
>>>> Could you help me? I am working on this problem for two weeks.
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/ listinfo/midpoint
>>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *This email, and any attachment, is confidential and also privileged.
>>>> If you have received it in error, please notify me immediately and delete
>>>> it from your system along with any attachments. You should not copy or use
>>>> it for any purpose, nor disclose its contents to any other person. *
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170426/91252a18/attachment.htm>