SSLHandshakeException when try connect LDAP
Shi Yusen
shiys at langhua.cn
Sun Feb 10 14:46:22 EST 2008
Sorry for my late to write this document. Finally I got some spare time
in Chinese New Year festival. I put the doc here:
http://www.ja-sig.org/wiki/pages/viewpage.action?pageId=10649670
Kind Regards,
Shi Yusen/Beijing Langhua Ltd.
在 2008-01-15二的 16:36 +0800,Shi Yusen写道:
> I think I can write a document on how to set up a development
> environment with FedoraCore+CAS+OpenLDAP+openssl. Which catalog in the
> wiki should I put it into?
>
> Regards,
>
> Shi Yusen/Beijing Langhua Ltd.
>
>
> 在 2008-01-14一的 23:16 -0800,Sara_Abasi写道:
> > Hi Scott,
> >
> > thanks for your help. The certificate is not signed commercially and I have
> > added the certificate to my JVM's cacerts file according to
> > http://www.ja-sig.org/wiki/display/CASUM/Demo
> >
> > keytool -import -file server.crt -keypass changeit -keystore
> > ..\jre\lib\security\cacerts
> >
> > My ldap server is actually a Microsoft Active Directory (WIndows 2003
> > Server). It accepts connections on port 389 and 636 (tested with telnet).
> > But actually I'm not sure if ssl is really supported, so I tried connecting
> > to it without ssl but I got following exception:
> >
> > 2008-01-15 10:26:52,582 ERROR
> > [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas].[cas]]
> > - <Servlet.service() for servlet cas threw exception>
> > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
> > LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
> >
> > This is my configuration without the ssl option:
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
> > "http://www.springframework.org/dtd/spring-beans.dtd">
> > <beans>
> > <bean id="authenticationManager"
> > class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> > <property name="credentialsToPrincipalResolvers">
> > <list>
> > <bean
> >
> > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> > />
> > <bean
> >
> > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> > />
> > </list>
> > </property>
> > <property name="authenticationHandlers">
> > <list>
> > <bean
> >
> > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler">
> > <property
> > name="httpClient"
> > ref="httpClient" />
> > </bean>
> > <bean
> > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> > <property name="filter" value="uid=%u" />
> > <property name="searchBase" value="cn=Users,dc=test,dc=net" />
> > <property name="contextSource" ref="contextSource" />
> > <property name="ignorePartialResultException"
> > value="yes" />
> > </bean>
> > </list>
> > </property>
> > </bean>
> > <bean id="contextSource"
> > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> > <property name="password" value="{123}"/>
> > <property name="pooled" value="true" />
> > <property name="urls">
> > <list>
> > <value>ldap://test.net:389/</value>
> > </list>
> > </property>
> > <property name="userName" value="{cn=myuser,cn=Users,dc=test,dc=net}"/>
> > <property name="baseEnvironmentProperties">
> > <map>
> > <entry>
> > <key>
> > <value>java.naming.security.authentication</value>
> > </key>
> > <value>simple</value>
> > </entry>
> > </map>
> > </property>
> > </bean>
> > </beans>
> >
> >
> > Thanks for your help,
> >
> > Sarah
> >
> >
> >
> >
> > scott_battaglia wrote:
> > >
> > > Sarah,
> > >
> > > Is it a commercially signed certificate? If not, make sure its in the
> > > JVM's
> > > cacerts file so that it can trust it. Also, make sure your LDAP server is
> > > accepting SSL connections.
> > >
> > > -Scott
> > >
> > > On Jan 14, 2008 6:41 AM, Sara_Abasi <abasi86 at gmail.com> wrote:
> > >
> > >>
> > >> Hi
> > >> i`m newbie in LDAP with SLL.
> > >> My problem is, i connect in server LDAP from my web application and do
> > >> the
> > >> authentication by LDAP with SSL.
> > >> when i enter user name and password throws this exception:
> > >>
> > >> 2008-01-14 15:04:52,074 ERROR
> > >> [org.apache.catalina.core.ContainerBase
> > >> .[Catalina].[localhost].[/cas].[cas]]
> > >> - <Servlet.service() for servlet cas threw exception>
> > >> java.io.EOFException: SSL peer shut down incorrectly
> > >> at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java
> > >> :333)
> > >> at
> > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
> > >> :723)
> > >> at
> > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(
> > >> SSLSocketImpl.java:1030)
> > >> at
> > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java
> > >> :622)
> > >> at
> > >> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java
> > >> :59)
> > >> at java.io.BufferedOutputStream.flushBuffer(
> > >> BufferedOutputStream.java:65)
> > >> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java
> > >> :123)
> > >> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390)
> > >> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
> > >> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
> > >> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
> > >> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
> > >> at
> > >> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java
> > >> :175)
> > >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(
> > >> LdapCtxFactory.java:193)
> > >> at
> > >> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java
> > >> :136)
> > >> at
> > >> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
> > >> at javax.naming.spi.NamingManager.getInitialContext(
> > >> NamingManager.java:667)
> > >> at javax.naming.InitialContext.getDefaultInitCtx(
> > >> InitialContext.java:247)
> > >> at javax.naming.InitialContext.init(InitialContext.java:223)
> > >> at javax.naming.ldap.InitialLdapContext.<init>(
> > >> InitialLdapContext.java:134)
> > >> at
> > >> org.springframework.ldap.support.LdapContextSource.getDirContextInstance(
> > >> LdapContextSource.java:59)
> > >> at
> > >> org.springframework.ldap.support.AbstractContextSource.createContext(
> > >> AbstractContextSource.java:193)
> > >> at
> > >> org.springframework.ldap.support.AbstractContextSource.getReadOnlyContext(
> > >> AbstractContextSource.java:104)
> > >> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java
> > >> :263)
> > >> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java
> > >> :314)
> > >> at
> > >>
> > >> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal
> > >> (BindLdapAuthenticationHandler.java:70)
> > >> at
> > >>
> > >> org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.authenticate
> > >> (AbstractUsernamePasswordAuthenticationHandler.java:58)
> > >> at
> > >> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> > >> AuthenticationManagerImpl.java:79)
> > >> at
> > >> org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(
> > >> CentralAuthenticationServiceImpl.java:282)
> > >> at
> > >> org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(
> > >> AuthenticationViaFormAction.java:116)
> > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > >> at
> > >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java
> > >> :39)
> > >> at
> > >> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > >> DelegatingMethodAccessorImpl.java:25)
> > >> at java.lang.reflect.Method.invoke(Method.java:585)
> > >> at
> > >> org.springframework.webflow.util.DispatchMethodInvoker.invoke(
> > >> DispatchMethodInvoker.java:103)
> > >> at
> > >> org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java
> > >> :136)
> > >> at
> > >> org.springframework.webflow.action.AbstractAction.execute(
> > >> AbstractAction.java:203)
> > >> at
> > >> org.springframework.webflow.engine.AnnotatedAction.execute(
> > >> AnnotatedAction.java:142)
> > >> at
> > >> org.springframework.webflow.engine.ActionExecutor.execute(
> > >> ActionExecutor.java:61)
> > >> at
> > >> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java
> > >> :180)
> > >> at org.springframework.webflow.engine.State.enter(State.java:200)
> > >> at
> > >> org.springframework.webflow.engine.Transition.execute(Transition.java:229)
> > >> at
> > >> org.springframework.webflow.engine.TransitionableState.onEvent(
> > >> TransitionableState.java:112)
> > >> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> > >> at
> > >>
> > >> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > >> (RequestControlContextImpl.java:207)
> > >> at
> > >> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java
> > >> :185)
> > >> at org.springframework.webflow.engine.State.enter(State.java:200)
> > >> at
> > >> org.springframework.webflow.engine.Transition.execute(Transition.java:229)
> > >> at
> > >> org.springframework.webflow.engine.TransitionableState.onEvent(
> > >> TransitionableState.java:112)
> > >> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> > >> at
> > >>
> > >> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > >> (RequestControlContextImpl.java:207)
> > >> at
> > >> org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(
> > >> FlowExecutionImpl.java:214)
> > >> at
> > >> org.springframework.webflow.executor.FlowExecutorImpl.resume(
> > >> FlowExecutorImpl.java:238)
> > >> at
> > >>
> > >> org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest
> > >> (FlowRequestHandler.java:115)
> > >> at
> > >>
> > >> org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal
> > >> (FlowController.java:170)
> > >> at
> > >> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> > >> AbstractController.java:153)
> > >> at
> > >> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> > >> SimpleControllerHandlerAdapter.java:48)
> > >> at
> > >> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> > >> DispatcherServlet.java:819)
> > >> at
> > >> org.springframework.web.servlet.DispatcherServlet.doService(
> > >> DispatcherServlet.java:754)
> > >> at
> > >> org.springframework.web.servlet.FrameworkServlet.processRequest(
> > >> FrameworkServlet.java:399)
> > >> at
> > >> org.springframework.web.servlet.FrameworkServlet.doPost(
> > >> FrameworkServlet.java:364)
> > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> > >> at
> > >> org.jasig.cas.web.init.SafeDispatcherServlet.service(
> > >> SafeDispatcherServlet.java:115)
> > >> at
> > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> > >> ApplicationFilterChain.java:269)
> > >> at
> > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(
> > >> ApplicationFilterChain.java:188)
> > >> at
> > >> org.apache.catalina.core.StandardWrapperValve.invoke(
> > >> StandardWrapperValve.java:210)
> > >> at
> > >> org.apache.catalina.core.StandardContextValve.invoke(
> > >> StandardContextValve.java:174)
> > >> at
> > >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> > >> :127)
> > >> at
> > >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> > >> :117)
> > >> at
> > >> org.apache.catalina.core.StandardEngineValve.invoke(
> > >> StandardEngineValve.java:108)
> > >> at
> > >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> > >> :151)
> > >> at
> > >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
> > >> at
> > >>
> > >> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection
> > >> (Http11BaseProtocol.java:665)
> > >> at
> > >> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
> > >> PoolTcpEndpoint.java:528)
> > >> at
> > >> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
> > >> LeaderFollowerWorkerThread.java:81)
> > >> at
> > >> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> > >> ThreadPool.java:685)
> > >> at java.lang.Thread.run(Thread.java:595)
> > >>
> > >> this is my deployConfigContext.xml
> > >>
> > >> <?xml version="1.0" encoding="UTF-8"?>
> > >> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
> > >> "http://www.springframework.org/dtd/spring-beans.dtd">
> > >> <!--
> > >> | deployerConfigContext.xml centralizes into one file some of the
> > >> declarative configuration that
> > >> | all CAS deployers will need to modify.
> > >> |
> > >> | This file declares some of the Spring-managed JavaBeans that
> > >> make
> > >> up a
> > >> CAS deployment.
> > >> | The beans declared in this file are instantiated at context
> > >> initialization time by the Spring
> > >> | ContextLoaderListener declared in web.xml. It finds this file
> > >> because
> > >> this
> > >> | file is among those declared in the context parameter
> > >> "contextConfigLocation".
> > >> |
> > >> | By far the most common change you will need to make in this file
> > >> is to
> > >> change the last bean
> > >> | declaration to replace the default
> > >> SimpleTestUsernamePasswordAuthenticationHandler with
> > >> | one implementing your approach for authenticating usernames and
> > >> passwords.
> > >> +-->
> > >> <beans>
> > >>
> > >> <!--
> > >> | This bean declares our AuthenticationManager. The
> > >> CentralAuthenticationService service bean
> > >> | declared in applicationContext.xml picks up this
> > >> AuthenticationManager
> > >> by reference to its id,
> > >> | "authenticationManager". Most deployers will be able to
> > >> use the default
> > >> AuthenticationManager
> > >> | implementation and so do not need to change the class of
> > >> this bean. We
> > >> include the whole
> > >> | AuthenticationManager here in the
> > >> userConfigContext.xmlso that you can
> > >> see the things you will
> > >> | need to change in context.
> > >> +-->
> > >> <bean id="authenticationManager"
> > >> class="
> > >> org.jasig.cas.authentication.AuthenticationManagerImpl">
> > >> <!--
> > >> | This is the List of
> > >> CredentialToPrincipalResolvers that identify what
> > >> Principal is trying to authenticate.
> > >> | The AuthenticationManagerImpl considers them in
> > >> order, finding a
> > >> CredentialToPrincipalResolver which
> > >> | supports the presented credentials.
> > >> |
> > >> | AuthenticationManagerImpl uses these resolvers
> > >> for two purposes.
> > >> First, it uses them to identify the Principal
> > >> | attempting to authenticate to CAS /login . In
> > >> the default
> > >> configuration, it is the DefaultCredentialsToPrincipalResolver
> > >> | that fills this role. If you are using some
> > >> other kind of credentials
> > >> than UsernamePasswordCredentials, you will need to replace
> > >> | DefaultCredentialsToPrincipalResolver with a
> > >> CredentialsToPrincipalResolver that supports the credentials you are
> > >> | using.
> > >> |
> > >> | Second, AuthenticationManagerImpl uses these
> > >> resolvers to identify a
> > >> service requesting a proxy granting ticket.
> > >> | In the default configuration, it is the
> > >> HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
> > >> | You will need to change this list if you are
> > >> identifying services by
> > >> something more or other than their callback URL.
> > >> +-->
> > >> <property name="credentialsToPrincipalResolvers">
> > >> <list>
> > >> <!--
> > >> |
> > >> UsernamePasswordCredentialsToPrincipalResolver supports the
> > >> UsernamePasswordCredentials that we use for /login
> > >> | by default and produces
> > >> SimplePrincipal instances conveying the
> > >> username from the credentials.
> > >> |
> > >> | If you've changed your
> > >> LoginFormAction to use credentials other than
> > >> UsernamePasswordCredentials then you will also
> > >> | need to change this bean
> > >> declaration (or add additional declarations)
> > >> to declare a CredentialsToPrincipalResolver that supports the
> > >> | Credentials you are using.
> > >> +-->
> > >> <bean
> > >>
> > >> class="
> > >> org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver
> > >> "
> > >> />
> > >> <!--
> > >> |
> > >> HttpBasedServiceCredentialsToPrincipalResolver supports
> > >> HttpBasedCredentials. It supports the CAS 2.0 approach of
> > >> | authenticating services by SSL
> > >> callback, extracting the callback URL
> > >> from the Credentials and representing it as a
> > >> | SimpleService identified by that
> > >> callback URL.
> > >> |
> > >> | If you are representing services
> > >> by something more or other than an
> > >> HTTPS URL whereat they are able to
> > >> | receive a proxy callback, you
> > >> will need to change this bean
> > >> declaration (or add additional declarations).
> > >> +-->
> > >> <bean
> > >>
> > >> class="
> > >> org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver
> > >> "
> > >> />
> > >> </list>
> > >> </property>
> > >>
> > >> <!--
> > >> | Whereas CredentialsToPrincipalResolvers identify
> > >> who it is some
> > >> Credentials might authenticate,
> > >> | AuthenticationHandlers actually authenticate
> > >> credentials. Here we
> > >> declare the AuthenticationHandlers that
> > >> | authenticate the Principals that the
> > >> CredentialsToPrincipalResolvers
> > >> identified. CAS will try these handlers in turn
> > >> | until it finds one that both supports the
> > >> Credentials presented and
> > >> succeeds in authenticating.
> > >> +-->
> > >> <property name="authenticationHandlers">
> > >> <list>
> > >> <!--
> > >> | This is the authentication
> > >> handler that authenticates services by
> > >> means of callback via SSL, thereby validating
> > >> | a server side SSL certificate.
> > >> +-->
> > >> <bean
> > >>
> > >> class="
> > >> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
> > >> ">
> > >> <property
> > >> name="httpClient"
> > >> ref="httpClient" />
> > >> </bean>
> > >>
> > >> <!--
> > >> | This is the authentication
> > >> handler declaration that every CAS
> > >> deployer will need to change before deploying CAS
> > >> | into production. The default
> > >> SimpleTestUsernamePasswordAuthenticationHandler authenticates
> > >> UsernamePasswordCredentials
> > >> | where the username equals the
> > >> password. You will need to replace
> > >> this with an AuthenticationHandler that implements your
> > >> | local authentication strategy.
> > >> You might accomplish this by coding a
> > >> new such handler and declaring
> > >> |
> > >> edu.someschool.its.cas.MySpecialHandler here, or you might use one of
> > >> the handlers provided in the adaptors modules.
> > >> +-->
> > >>
> > >>
> > >> <bean
> > >> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> > >> <property name="filter"
> > >> value="uid=%u" />
> > >> <property name="searchBase"
> > >> value="cn=Users,dc=z,dc=z" />
> > >> <property name="contextSource"
> > >> ref="contextSource" />
> > >> <property name="ignorePartialResultException"
> > >> value="yes" />
> > >> </bean>
> > >> </list>
> > >> </property>
> > >> </bean>
> > >> <bean id="contextSource"
> > >> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> > >> <property name="password" value="{11111}"/>
> > >> <property name="pooled" value="true" />
> > >> <property name="urls">
> > >> <list>
> > >> <value>ldaps://irisad.net/</value>
> > >> </list>
> > >> </property>
> > >> <property name="userName" value="{cn=aa,cn=Users,dc=z,dc=z}"/>
> > >> <property name="baseEnvironmentProperties">
> > >> <map>
> > >> <entry>
> > >> <key>
> > >> <value>java.naming.security.protocol</value>
> > >> </key>
> > >> <value>ssl</value>
> > >> </entry>
> > >> <entry>
> > >> <key>
> > >> <value>java.naming.security.authentication</value>
> > >> </key>
> > >> <value>simple</value>
> > >> </entry>
> > >> <entry>
> > >> <key>
> > >> <value>java.naming.referral</value>
> > >> </key>
> > >> <value>follow</value>
> > >> </entry>
> > >> </map>
> > >> </property>
> > >> </bean>
> > >> </beans>
> > >>
> > >> thanks.
> > >> --
> > >> View this message in context:
> > >> http://www.nabble.com/SSLHandshakeException-when-try-connect-LDAP-tp14799522p14799522.html
> > >> Sent from the CAS Users mailing list archive at Nabble.com.
> > >>
> > >> _______________________________________________
> > >> Yale CAS mailing list
> > >> cas at tp.its.yale.edu
> > >> http://tp.its.yale.edu/mailman/listinfo/cas
> > >>
> > >
> > >
> > >
> > > --
> > > -Scott Battaglia
> > >
> > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> >
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
More information about the cas
mailing list