Solved: LDAP acces via SSL - javax.net.ssl.SSLHandshakeExc...

maciej_gottfried3 · ‎03-22-2013

Hello All

I'm trying to fing reason for non-working SSL connection from java app (EJB) to LDAP server.

Code is:

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
System.setProperty("ssl.ServerSocketFactory.provider","oracle.security.ssl.OracleSSLServerSocketFactoryimpl");
env.put(Context.PROVIDER_URL, urlLdapServer + baseDN);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "user");
env.put(Context.SECURITY_CREDENTIALS, "password");

And while trying to connect exception is thrown:

Exception while getting data from LDAP:

javax.naming.CommunicationException: simple bind failed: server_address:636 [Root exception is javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested target]

In portal's configuration there is key storage named TrustedCAs containing valid certificate for this LDAP server.

I'm bit stuck, so any help would be highly appreciated.

Thanks in advance

Best Regards

Maciej Gottfried

former_member432219 · ‎03-25-2013

Hi Maciej,

When you deploy a java application on the Netweaver AS Java it does not use the AS Java's key storage service by default. I see that you are using Oracles SSL server socket factory which I'm not familiar with but I see that it extends javax.net.ssl.SSLServerSocketFactory so if we take that as an example, for management of CA certificates you can specify a trust store via the javax.net.ssl.trustStore system property and if you don't, the default keystore will be used, which is 'jssecacerts' if it exists and if not, 'cacerts' both of which are stores in the JDK itself, outside of the AS Java, see http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

In those cases, for the server cert of the LDAP server to be trusted the LDAP root cert would be need to be imported into the store specified by the javax.net.ssl.trustStore or jssecacerts/cacerts using the JDK's keytool utility. So although the application is deployed on the AS Java the TrustedCAs view of the AS Java is never checked. If you want to use the key storage service of the AS Java you can use the AS Java's SecureConnectionFactory class via

env.put("java.naming.ldap.factory.socket" ,"com.sap.security.core.server.https.SecureConnectionFactory");

See the javadocs http://help.sap.com/javadocs/NW73/SPS08/CE/index.html - security SecureConnectionFactory for more information.

Your application will need a reference to the "security.class" library

Otherwise, you'll need review how certifiates are managed when using

oracle.security.ssl.OracleSSLServerSocketFactoryimpl

Best regards,

Patrick

Former Member · ‎11-22-2013

Many thanks Patrick!

maciej_gottfried3 · ‎03-28-2013

That is the point! Thank you very much.

LDAP acces via SSL - javax.net.ssl.SSLHandshakeException

Accepted Solutions (1)

Accepted Solutions (1)

Answers (2)

Answers (2)

Re: Struggling with Filters on Select - Fiori App

Re: Lookup logic in Integration suite

Re: CF Deployment Error: Error getting tenant t0

Re: Encountering a script error on the Crystal Rep...

Re: LLM, RAG and Cloud Foundry: No space left on d...