<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
That's right. All the client-side certificate validations have to
be non-interactive. So everything needs to be imported to
midpoint.home/keystore.jceks. The guide is here:<br>
<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743">https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743</a><br>
<br>
The timeout error usually indicates failed SSL/TLS handshake. One
of the issues that I have seen is that som OpenLDAP configurations
are not SSL, but STARTTLS. This is different way how to initiate
TLS connection. In that case "starttls" has to be used instead
"ssl".<br>
<br>
Another issue can be that the client and server cannot agree on
the cipher suites. It looks like recent TLS versions have quite
limited set of supported cipher suites. Unfortunately the Java
libraries and/or Apache Directory API are not very good at
reporting errors, so this one can also look like timeout. If that
is the case please try to force the use of older TLS version on
either client or server. I have added a connector configuration
options sslProtocol, enabledSecurityProtocols and
enabledCipherSuites for that purpose. However, those are only
supported in development (master) version of the connector.
Setting sslProtocol might help in your case (the values are
protocol names from javax.net.ssl.SSLContext).<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 11/17/2015 07:11 PM, Jason Everling wrote:<br>
</div>
<blockquote
cite="mid:CAFkZXY4ZE+wGA7VxsodxVU67QgEi=jLBs3us84ASpgdKAUSL7w@mail.gmail.com"
type="cite">
<div dir="ltr">I would try and import your LDAP Certs or LDAP CA
Certs into the midpoint.home/keystore.jceks keystore. I had to
put all our CA certs into this file and also Google's mail ca
certs so that notifications would go out. The default password
for the keystore is in your config.xml file
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<div class="gmail_quote">On Tue, Nov 17, 2015 at 12:07 PM, Devin
Rosenbauer <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:devin@identityworksllc.com" target="_blank">devin@identityworksllc.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Hey all,<br>
<br>
</div>
I'm working on deploying a demo LDAP connector to an
OpenDJ LDAP instance. I've got everything set up and
working great in non-SSL mode. When I switch the
connection security configuration property to "ssl", the
connection times out every time, with this root cause
stack trace:<br>
<br>
Caused by:
org.apache.directory.api.ldap.model.exception.LdapException:
TimeOut occurred<br>
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4138)
~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1]<br>
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1287)
~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1]<br>
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1185)
~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1]<br>
at
com.evolveum.polygon.connector.ldap.LdapConnector.bind(LdapConnector.java:1030)
~[connector-ldap-1.4.1.23.jar:na]<br>
<br>
After looking through the code, I'm guessing that the SSL
filter is attempting to prompt the non-existent keyboard
user to accept or deny the certificate. I've imported the
cert as a trusted certificate into the Java cacerts file,
but I'm not sure that that's what the LDAP connector is
using.<br clear="all">
<div>
<div><br>
</div>
<div>Any suggestions?<span class="HOEnZb"><font
color="#888888"><br>
<br>
<br>
<br>
-- <br>
<div>
<div dir="ltr">Devin Rosenbauer<br>
Principal Consultant<br>
Identity Works LLC<br>
<a moz-do-not-send="true"
href="tel:%2B1%20585%20210%203201"
value="+15852103201" target="_blank">+1 585
210 3201</a><br>
</div>
</div>
</font></span></div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>