Disclaimer: This post is similar to these - 1, 2. HOWEVER, it is not the exactly the same. The stack trace is different. I followed the answers in those posts and they do not help solve my issue, or else I don't understand them completely. Since I cannot comment on these posts, I ask my question here.
OK, so we want to enable LDAP over SSL (aka LDAPS) support for one of our products that is currently working with standard LDAP. I haven't been able to get it to work so if anyone can see what I'm doing wrong, please advise.
I followed the procedure here to issue and install the SSL certificate. That procedure includes the installation of the certificate on the Java key store, as specified by 1. This the command I used to install the certificate:
keytool -import -keystore .\jre\lib\security\cacerts -file path\to\client.crt
Note that the key store specified is 'cacerts', perhaps this is wrong (?).
The code I used to initialize the context:
...
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://" + serverAddress);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, administratorName);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.REFERRAL, "follow");
LdapContext ldapContext = null;
try {
ldapContext = new InitialLdapContext(env, null);
...
Here I get an exception - "simple bind failed..", with the following stack trace:
javax.naming.CommunicationException: simple bind failed: 172.23.30.104:636 [Root exception is javax.net.ssl.SSLException: java.net.SocketException: Connection reset]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
...
Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read1(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at com.sun.jndi.ldap.Connection.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
... 6 more
The program works (without SSL obviously) by dropping the SECURITY_PROTOCOL line, and changing the provider url to "ldap://..." (without the 's').
So again, what is missing here?
Cheers, Gilad.
