[midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Jason Everling jeverling at bshp.edu
Wed Apr 26 14:04:38 CEST 2017


I went back and looked at your logs earlier and yes, you can use standard
java to connect to ldap over ssl because that is not the issue and it is
not using your midpoint encryption keys to encrypt data. Within your error
logs it is trying to encrypt the ldap connection password but cannot
because of the illegal key size. So I am pretty sure you just need to
install the JCE files. I found a page on the wiki for you, and yes, the max
is 128 without JCE and from your error logs it is showing AES-192

https://wiki.evolveum.com/display/midPoint/Installing+midPoint+from+Binary+Distribution+v3.5.1#InstallingmidPointfromBinaryDistributionv3.5.1-JavaCryptographyExtension(JCE)UnlimitedStrengthJurisdictionPolicyFiles8




JASON

On Wed, Apr 26, 2017 at 6:52 AM, Jason Everling <jeverling at bshp.edu> wrote:

> Your key is 192 and without jce the max is 128, go to
> http://www.oracle.com/technetwork/java/javase/downloads/index.html and
> scroll down to additional resources and find the unlimited strength file
> and download it. There is a readme file in it, you just basically copy the
> files into your java jdk location
> ------------------------------
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Dilek
> Gider <dilek.gider at basistek.com>
> *Sent:* Wednesday, April 26, 2017 1:43:58 AM
> *To:* midPoint General Discussion
>
> *Subject:* Re: [midPoint] Fwd: AD configuration with LDAP Connector, ssl
> issue
>
> Hi Jason ,
>
> No I didnt install it and I dont know anything about this policy file.
> I am able to connect via SSL from the same server with simple Java Code,
> is this possible if there must be installed policy file?
>
> Should I install it?  I am researching that policy file.
>
> On Tue, Apr 25, 2017 at 5:31 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> I didnt even think about this, did you install the Java Cryptography
>> Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 ? That could
>> be the casue of your first error,  default key size. Original error:
>> Illegal key size
>>
>> JASON
>>
>> On Tue, Apr 25, 2017 at 9:19 AM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> is this as actual domain controller? Are you sure that that isn't just
>>> the domain?
>>> <gen493:host>tirsantest.local</gen493:host>
>>>
>>> it should contain an actual dc host like
>>> <gen493:host>dc1.tirsantest.local</gen493:host>
>>>
>>>
>>>
>>> JASON
>>>
>>> On Tue, Apr 25, 2017 at 2:14 AM, Dilek Gider <dilek.gider at basistek.com>
>>> wrote:
>>>
>>>> Hi Brad,
>>>>
>>>> I didn't get certificate, our customer gave to me .cer file that
>>>> contains certificate, AD belongs to customer.
>>>> But with that certificate, I can connect to AD 636 port with java code.
>>>>
>>>> I imported that certificate to midpoint keystore, and also java sdk
>>>> keystore.
>>>> I added java options to tomcat to trust to midpoint keystrore. (
>>>> -Djavax.net.ssl.trustStore=.....)
>>>>
>>>> On Tue, Apr 25, 2017 at 8:38 AM, Brad Fardig <
>>>> brad.fardig at cogitogroup.com.au> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> Just checking, did you add the domain controllers certificate to the
>>>>> key store?
>>>>>
>>>>>
>>>>>
>>>>> https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>>
>>>>> Brad
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *From:* midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
>>>>> Behalf Of *dilek.gider at basistek.com
>>>>> *Sent:* Tuesday, 25 April 2017 3:03 PM
>>>>> *To:* Jason Everling <jeverling at bshp.edu>; midPoint General
>>>>> Discussion <midpoint at lists.evolveum.com>
>>>>> *Subject:* Re: [midPoint] Fwd: AD configuration with LDAP Connector,
>>>>> ssl issue
>>>>>
>>>>>
>>>>>
>>>>> Thank you for your reply, i created keystore manually with wiki
>>>>> evolveum Keysotore Configuration document. I dont know how if midpoint
>>>>> creates keystore by itself, automatically.
>>>>>
>>>>>
>>>>>
>>>>> ------ Original message------
>>>>>
>>>>> *From: *Jason Everling
>>>>>
>>>>> *Date: *Mon, Apr 24, 2017 18:41
>>>>>
>>>>> *To: *midPoint General Discussion;
>>>>>
>>>>> *Cc: *
>>>>>
>>>>> *Subject:*Re: [midPoi nt] Fwd: AD configuration with LDAP Connector,
>>>>> ssl issue
>>>>>
>>>>>
>>>>>
>>>>> From what I can see, it is showing 'unsupported ciphersuite' along
>>>>> with other ssl/tls startup errors. Did you let midpoint create the keystore
>>>>> when it first started up or did you manually create it? The midpoint team
>>>>> should be able to help further but I have never encountered that error
>>>>> before with midpoint. Only ssl chain errors which is easily fixed and I
>>>>> dont see that in your logs.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> JASON
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Apr 24, 2017 at 7:26 AM, Dilek Gider <dilek.gider at basistek.com>
>>>>> wrote:
>>>>>
>>>>> Hi Again,
>>>>>
>>>>>
>>>>>
>>>>> Is there anybody to help me please.. Details are below.
>>>>>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: *Dilek Gider* <dilek.gider at basistek.com>
>>>>> Date: Thu, Apr 20, 2017 at 4:20 PM
>>>>> Subject: AD configuration with LDAP Connector, ssl issue
>>>>> To: midPoint General Discussion <midpoint at lists.evolveum.com>
>>>>>
>>>>> Hi ,
>>>>>
>>>>>
>>>>>
>>>>> I have resource to AD from midpoint, with LDAP Connector. You can find
>>>>> resource.xml as attchment. I couldn't connect this resource with LDAP via
>>>>> SSL. I followed
>>>>>
>>>>>
>>>>>
>>>>> https://wiki.evolveum.com/display/midPoint/Keystore+Configuration
>>>>> <https://wiki.evolveum.com/displ%20ay/midPoint/Keystore+Configuration>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> link, added Tomcat java options but it doens't work. Also I added logs
>>>>> about this resource, error logs.
>>>>>
>>>>>
>>>>>
>>>>> I wrote java jar to connect AD via ssl and execute it from the same
>>>>> location with my java connector, it succeeded. But  in midpoint it could
>>>>> not communicate with AD via SSL. Without SSL, it is communicating with AD
>>>>> from LDAPConnector.
>>>>>
>>>>>
>>>>>
>>>>> I have java 8_101, tomcat 8.5.
>>>>>
>>>>> I have certificate as "cer" file, I imported to both java cacerts and
>>>>> midpoint keystore. and it is listed with my alias:
>>>>>
>>>>> Keystore type: JCEKS
>>>>>
>>>>> Keystore provider: SunJCE
>>>>>
>>>>>
>>>>>
>>>>> Your keystore contains 3 entries
>>>>>
>>>>>
>>>>>
>>>>> nlight, Mar 21, 2017, trustedCertEntry,
>>>>>
>>>>> Certificate fingerprint (SHA1): XXXXXXXXX
>>>>>
>>>>> default, Nov 30, 2016, SecretKeyEntry,
>>>>>
>>>>> tirsantest.local, Apr 19, 2017, trustedCertEntry,
>>>>>
>>>>> Certificate fingerprint (SHA1): XXXXXXXXXXXX
>>>>>
>>>>>
>>>>>
>>>>> Could you help me? I am working on this problem for two weeks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/ listinfo/midpoint
>>>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *This email, and any attachment, is confidential and also privileged.
>>>>> If you have received it in error, please notify me immediately and delete
>>>>> it from your system along with any attachments. You should not copy or use
>>>>> it for any purpose, nor disclose its contents to any other person. *
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170426/4ff0f08e/attachment.htm>


More information about the midPoint mailing list