[midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Jason Everling jeverling at bshp.edu
Wed Apr 26 13:52:05 CEST 2017


Your key is 192 and without jce the max is 128, go to http://www.oracle.com/technetwork/java/javase/downloads/index.html and scroll down to additional resources and find the unlimited strength file and download it. There is a readme file in it, you just basically copy the files into your java jdk location

________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Dilek Gider <dilek.gider at basistek.com>
Sent: Wednesday, April 26, 2017 1:43:58 AM
To: midPoint General Discussion
Subject: Re: [midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Hi Jason ,

No I didnt install it and I dont know anything about this policy file.
I am able to connect via SSL from the same server with simple Java Code, is this possible if there must be installed policy file?

Should I install it?  I am researching that policy file.

On Tue, Apr 25, 2017 at 5:31 PM, Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>> wrote:
I didnt even think about this, did you install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 ? That could be the casue of your first error,  default key size. Original error: Illegal key size

JASON

On Tue, Apr 25, 2017 at 9:19 AM, Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>> wrote:
is this as actual domain controller? Are you sure that that isn't just the domain?
<gen493:host>tirsantest.local</gen493:host>

it should contain an actual dc host like
<gen493:host>dc1.tirsantest.local</gen493:host>



JASON

On Tue, Apr 25, 2017 at 2:14 AM, Dilek Gider <dilek.gider at basistek.com<mailto:dilek.gider at basistek.com>> wrote:
Hi Brad,

I didn't get certificate, our customer gave to me .cer file that contains certificate, AD belongs to customer.
But with that certificate, I can connect to AD 636 port with java code.

I imported that certificate to midpoint keystore, and also java sdk keystore.
I added java options to tomcat to trust to midpoint keystrore. (-Djavax.net.ssl.trustStore=.....)

On Tue, Apr 25, 2017 at 8:38 AM, Brad Fardig <brad.fardig at cogitogroup.com.au<mailto:brad.fardig at cogitogroup.com.au>> wrote:
Hi,

Just checking, did you add the domain controllers certificate to the key store?

https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743

Regards,

Brad



From: midPoint [mailto:midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>] On Behalf Of dilek.gider at basistek.com<mailto:dilek.gider at basistek.com>
Sent: Tuesday, 25 April 2017 3:03 PM
To: Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>>; midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Subject: Re: [midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Thank you for your reply, i created keystore manually with wiki evolveum Keysotore Configuration document. I dont know how if midpoint creates keystore by itself, automatically.

------ Original message------
From: Jason Everling
Date: Mon, Apr 24, 2017 18:41
To: midPoint General Discussion;
Cc:
Subject:Re: [midPoi nt] Fwd: AD configuration with LDAP Connector, ssl issue

>From what I can see, it is showing 'unsupported ciphersuite' along with other ssl/tls startup errors. Did you let midpoint create the keystore when it first started up or did you manually create it? The midpoint team should be able to help further but I have never encountered that error before with midpoint. Only ssl chain errors which is easily fixed and I dont see that in your logs.


JASON

On Mon, Apr 24, 2017 at 7:26 AM, Dilek Gider <dilek.gider at basistek.com<mailto:dilek.gider at basistek.com>> wrote:
Hi Again,

Is there anybody to help me please.. Details are below.

---------- Forwarded message ----------
From: Dilek Gider <dilek.gider at basistek.com<mailto:dilek.gider at basistek.com>>
Date: Thu, Apr 20, 2017 at 4:20 PM
Subject: AD configuration with LDAP Connector, ssl issue
To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>

Hi ,

I have resource to AD from midpoint, with LDAP Connector. You can find resource.xml as attchment. I couldn't connect this resource with LDAP via SSL. I followed

https://wiki.evolveum.com/display/midPoint/Keystore+Configuration<https://wiki.evolveum.com/displ%20ay/midPoint/Keystore+Configuration>

link, added Tomcat java options but it doens't work. Also I added logs about this resource, error logs.

I wrote java jar to connect AD via ssl and execute it from the same location with my java connector, it succeeded. But  in midpoint it could not communicate with AD via SSL. Without SSL, it is communicating with AD from LDAPConnector.

I have java 8_101, tomcat 8.5.
I have certificate as "cer" file, I imported to both java cacerts and midpoint keystore. and it is listed with my alias:
Keystore type: JCEKS
Keystore provider: SunJCE


Your keystore contains 3 entries

nlight, Mar 21, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): XXXXXXXXX
default, Nov 30, 2016, SecretKeyEntry,
tirsantest.local, Apr 19, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): XXXXXXXXXXXX

Could you help me? I am working on this problem for two weeks.


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/ listinfo/midpoint<http://lists.evolveum.com/mailman/listinfo/midpoint>



This email, and any attachment, is confidential and also privileged. If you have received it in error, please notify me immediately and delete it from your system along with any attachments. You should not copy or use it for any purpose, nor disclose its contents to any other person.

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint




_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170426/be958a6b/attachment.htm>


More information about the midPoint mailing list