[midPoint] Fwd: AD configuration with LDAP Connector, ssl issue

Dilek Gider dilek.gider at basistek.com
Fri May 5 08:51:36 CEST 2017


Yes Jason, i copied encyription key to cacerts file. And you are right, if
I update sdk, that key will be lost. I will inform customer about this, we
have certificate and only one command will be run. (keytool import... )
Otherwise, i lost my three weeks with this encyription issue, i can't wait
any other time unfotunately.

Thank you for your support.
Dilek.

On Thu, May 4, 2017 at 7:37 PM, Jason Everling <jeverling at bshp.edu> wrote:

> So it might be working now but it would not be wise to keep using it in
> that sense. I am assuming you did copy your midpoint encryption key to the
> cacerts file?
>
> I would copy it from the java directory into your midpoint home directory
> and then re-add the line to tomcat with the file name because if you update
> java that file currently will get overwritten and you will lose your
> midpoint keys and you would be in bigger trouble not being able to decrypt
> any previous data.
>
> Initially, you didn't need to manually create a keystore though, midpoint
> will create it at first startup along with all the other items in midpoint
> home directory.
> ------------------------------
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Dilek
> Gider <dilek.gider at basistek.com>
> *Sent:* Thursday, May 4, 2017 2:07:03 AM
> *To:* midPoint General Discussion
> *Subject:* Re: [midPoint] Fwd: AD configuration with LDAP Connector, ssl
> issue
>
> Hi Jason,
>
> As a feedback, I downloaded JCE and replace jars with sdk's jars. But it
> didn't work.
> I tried most of things, at the end I deleted java.ssl.trustStore java
> options from tomcat properties.
> I changed 636 port to 389, (389 was running from the beginning), tried
> that it is connecting, after that I changed port to 636 and "Connection
> Security" =ssl
> Then suddenly tested to connection and it connected. Actually I don't know
> how it worked.
>
> But now, our ssl enviorement is connected without below properties, I
> think it is used java cacerts now, i have imported certificate to sdk's
> cacerts.
> -Djavax.net.ssl.trustStore=/var/opt/midpoint/keystore.jceks
> -Djavax.net.ssl.trustStoreType=jceks
>
> Maybe from the beggiing, it must have used only sdk's cacerts, i dont now.
> I only followed https://wiki.evolveum.com/display/midPoint/
> Keystore+Configuration but didn't worked.
>
> fyi..
>
> Thank you for your support.
>
>
> On Wed, Apr 26, 2017 at 3:04 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> I went back and looked at your logs earlier and yes, you can use standard
>> java to connect to ldap over ssl because that is not the issue and it is
>> not using your midpoint encryption keys to encrypt data. Within your error
>> logs it is trying to encrypt the ldap connection password but cannot
>> because of the illegal key size. So I am pretty sure you just need to
>> install the JCE files. I found a page on the wiki for you, and yes, the max
>> is 128 without JCE and from your error logs it is showing AES-192
>>
>> https://wiki.evolveum.com/display/midPoint/Installing+midPoi
>> nt+from+Binary+Distribution+v3.5.1#InstallingmidPointfromB
>> inaryDistributionv3.5.1-JavaCryptographyExtension(JCE)Unlimi
>> tedStrengthJurisdictionPolicyFiles8
>>
>>
>>
>>
>> JASON
>>
>> On Wed, Apr 26, 2017 at 6:52 AM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> Your key is 192 and without jce the max is 128, go to
>>> http://www.oracle.com/technetwork/java/javase/downloads/index.html and
>>> scroll down to additional resources and find the unlimited strength file
>>> and download it. There is a readme file in it, you just basically copy the
>>> files into your java jdk location
>>> ------------------------------
>>> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
>>> Dilek Gider <dilek.gider at basistek.com>
>>> *Sent:* Wednesday, April 26, 2017 1:43:58 AM
>>> *To:* midPoint General Discussion
>>>
>>> *Subject:* Re: [midPoint] Fwd: AD configuration with LDAP Connector,
>>> ssl issue
>>>
>>> Hi Jason ,
>>>
>>> No I didnt install it and I dont know anything about this policy file.
>>> I am able to connect via SSL from the same server with simple Java Code,
>>> is this possible if there must be installed policy file?
>>>
>>> Should I install it?  I am researching that policy file.
>>>
>>> On Tue, Apr 25, 2017 at 5:31 PM, Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>>> I didnt even think about this, did you install the Java Cryptography
>>>> Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 ? That could
>>>> be the casue of your first error,  default key size. Original error:
>>>> Illegal key size
>>>>
>>>> JASON
>>>>
>>>> On Tue, Apr 25, 2017 at 9:19 AM, Jason Everling <jeverling at bshp.edu>
>>>> wrote:
>>>>
>>>>> is this as actual domain controller? Are you sure that that isn't just
>>>>> the domain?
>>>>> <gen493:host>tirsantest.local</gen493:host>
>>>>>
>>>>> it should contain an actual dc host like
>>>>> <gen493:host>dc1.tirsantest.local</gen493:host>
>>>>>
>>>>>
>>>>>
>>>>> JASON
>>>>>
>>>>> On Tue, Apr 25, 2017 at 2:14 AM, Dilek Gider <dilek.gider at basistek.com
>>>>> > wrote:
>>>>>
>>>>>> Hi Brad,
>>>>>>
>>>>>> I didn't get certificate, our customer gave to me .cer file that
>>>>>> contains certificate, AD belongs to customer.
>>>>>> But with that certificate, I can connect to AD 636 port with java
>>>>>> code.
>>>>>>
>>>>>> I imported that certificate to midpoint keystore, and also java sdk
>>>>>> keystore.
>>>>>> I added java options to tomcat to trust to midpoint keystrore. (
>>>>>> -Djavax.net.ssl.trustStore=.....)
>>>>>>
>>>>>> On Tue, Apr 25, 2017 at 8:38 AM, Brad Fardig <
>>>>>> brad.fardig at cogitogroup.com.au> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Just checking, did you add the domain controllers certificate to the
>>>>>>> key store?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Brad
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
>>>>>>> Behalf Of *dilek.gider at basistek.com
>>>>>>> *Sent:* Tuesday, 25 April 2017 3:03 PM
>>>>>>> *To:* Jason Everling <jeverling at bshp.edu>; midPoint General
>>>>>>> Discussion <midpoint at lists.evolveum.com>
>>>>>>> *Subject:* Re: [midPoint] Fwd: AD configuration with LDAP
>>>>>>> Connector, ssl issue
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thank you for your reply, i created keystore manually with wiki
>>>>>>> evolveum Keysotore Configuration document. I dont know how if midpoint
>>>>>>> creates keystore by itself, automatically.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------ Original message------
>>>>>>>
>>>>>>> *From: *Jason Everling
>>>>>>>
>>>>>>> *Date: *Mon, Apr 24, 2017 18:41
>>>>>>>
>>>>>>> *To: *midPoint General Discussion;
>>>>>>>
>>>>>>> *Cc: *
>>>>>>>
>>>>>>> *Subject:*Re: [midPoi nt] Fwd: AD configuration with LDAP
>>>>>>> Connector, ssl issue
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> From what I can see, it is showing 'unsupported ciphersuite' along
>>>>>>> with other ssl/tls startup errors. Did you let midpoint create the keystore
>>>>>>> when it first started up or did you manually create it? The midpoint team
>>>>>>> should be able to help further but I have never encountered that error
>>>>>>> before with midpoint. Only ssl chain errors which is easily fixed and I
>>>>>>> dont see that in your logs.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> JASON
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 24, 2017 at 7:26 AM, Dilek Gider <
>>>>>>> dilek.gider at basistek.com> wrote:
>>>>>>>
>>>>>>> Hi Again,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Is there anybody to help me please.. Details are below.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------- Forwarded message ----------
>>>>>>> From: *Dilek Gider* <dilek.gider at basistek.com>
>>>>>>> Date: Thu, Apr 20, 2017 at 4:20 PM
>>>>>>> Subject: AD configuration with LDAP Connector, ssl issue
>>>>>>> To: midPoint General Discussion <midpoint at lists.evolveum.com>
>>>>>>>
>>>>>>> Hi ,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have resource to AD from midpoint, with LDAP Connector. You can
>>>>>>> find resource.xml as attchment. I couldn't connect this resource with LDAP
>>>>>>> via SSL. I followed
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> https://wiki.evolveum.com/display/midPoint/Keystore+Configuration
>>>>>>> <https://wiki.evolveum.com/displ%20ay/midPoint/Keystore+Configuration>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> link, added Tomcat java options but it doens't work. Also I added
>>>>>>> logs about this resource, error logs.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I wrote java jar to connect AD via ssl and execute it from the same
>>>>>>> location with my java connector, it succeeded. But  in midpoint it could
>>>>>>> not communicate with AD via SSL. Without SSL, it is communicating with AD
>>>>>>> from LDAPConnector.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have java 8_101, tomcat 8.5.
>>>>>>>
>>>>>>> I have certificate as "cer" file, I imported to both java cacerts
>>>>>>> and midpoint keystore. and it is listed with my alias:
>>>>>>>
>>>>>>> Keystore type: JCEKS
>>>>>>>
>>>>>>> Keystore provider: SunJCE
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Your keystore contains 3 entries
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> nlight, Mar 21, 2017, trustedCertEntry,
>>>>>>>
>>>>>>> Certificate fingerprint (SHA1): XXXXXXXXX
>>>>>>>
>>>>>>> default, Nov 30, 2016, SecretKeyEntry,
>>>>>>>
>>>>>>> tirsantest.local, Apr 19, 2017, trustedCertEntry,
>>>>>>>
>>>>>>> Certificate fingerprint (SHA1): XXXXXXXXXXXX
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Could you help me? I am working on this problem for two weeks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> http://lists.evolveum.com/mailman/ listinfo/midpoint
>>>>>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *This email, and any attachment, is confidential and also
>>>>>>> privileged. If you have received it in error, please notify me immediately
>>>>>>> and delete it from your system along with any attachments. You should not
>>>>>>> copy or use it for any purpose, nor disclose its contents to any other
>>>>>>> person. *
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170505/010e42e8/attachment.htm>


More information about the midPoint mailing list