1

Environment:

  • CentOS 7
  • java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9.x86_64
  • Tomcat 8.5.63 + self-signed SSL certificate
  • osixia/docker-openldap + official SSL certificate
    • Set --env LDAP_TLS_VERIFY_CLIENT=never to skip client certificate validation.
    • Had been LDAPS login successfully by using ApacheDirectoryStudio and Gawor_ldapbrowser.

I have a server API which run with Tomcat 8, and will connect to an OpenLDAP server via ldaps protocol.

My code is simple as:

LdapContext ctx = null;
try
{
    Hashtable<String, String> env = getLDAPBase(this.searcher, this.searcherPwd, this.ldapUrl);

    ctx = new InitialLdapContext(env, null); // line 689
    return findUserIdInLdap(userid, ctx);
}

public static Hashtable<String, String> getLDAPBase(String ldapUserName, String pwd, String ldapUrl)
{
    Hashtable<String, String> env = new Hashtable<String, String>();
    env.put(Context.SECURITY_AUTHENTICATION, "simple"); 
    env.put(Context.SECURITY_PRINCIPAL, ldapUserName);
    env.put(Context.SECURITY_CREDENTIALS, pwd);
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, ldapUrl);
    return env;
}

The API log:

2021/06/02 14:02:55.168,[05863d2e-5ca6-43bb-bd18-3c10689bdcbf]05863d2e-5ca6-43bb-bd18-3c10689bdcbf,  userid=test1_LDAP,searchBase=dc=my,dc=com,FILTER_STR=(&(|(sAMAccountName={0})(cn={0})(uid={0}))(objectClass=*))
javax.naming.CommunicationException: q2ldap.my.com:6362 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:233)
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2849)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    at javax.naming.InitialContext.init(InitialContext.java:244)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    at com.my.OpenLdapAuthenticator.getUserIdInLdap(OpenLdapAuthenticator.java:689)
    at com.my.OpenLdapAuthenticator.authenticationFlow(OpenLdapAuthenticator.java:108)
    at com.my.LdapAuthManager.authenticate(LdapAuthManager.java:247)
    at com.my.ServletPrivateCloudAAA.processRequest(ServletPrivateCloudAAA.java:147)
    at com.my.http.api.StaxAPIServlet.doProcess(StaxAPIServlet.java:346)
    at com.my.http.api.StaxAPIServlet.service(StaxAPIServlet.java:107)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.my.api.aaa.LockIpFilter.doFilter(LockIpFilter.java:95)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.my.api.aaa.AccessLogFilter.doFilter(AccessLogFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:363)
    at org.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:169)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:186)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1629)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
    at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:248)
    at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:262)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:345)
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:220)
    ... 51 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
    at java.security.Provider$Service.newInstance(Provider.java:1617)
    at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
    at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
    at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
    at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
    at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:301)
    ... 52 more
Caused by: java.security.PrivilegedActionException: java.io.FileNotFoundException: N/A (No such file or directory)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getKeyManagers(SSLContextImpl.java:1095)
    at sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(SSLContextImpl.java:1021)
    at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:1186)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at java.security.Provider$Service.newInstance(Provider.java:1595)
    ... 62 more
Caused by: java.io.FileNotFoundException: N/A (No such file or directory)
    at java.io.FileInputStream.open0(Native Method)
    at java.io.FileInputStream.open(FileInputStream.java:195)
    at java.io.FileInputStream.<init>(FileInputStream.java:138)
    at java.io.FileInputStream.<init>(FileInputStream.java:93)
    at sun.security.ssl.SSLContextImpl$DefaultManagersHolder$2.run(SSLContextImpl.java:1099)
    at sun.security.ssl.SSLContextImpl$DefaultManagersHolder$2.run(SSLContextImpl.java:1096)
    ... 71 more

After added -Djava.net.debug=all, I found below in log:

javax.net.ssl|FINE|03 11|https-jsse-nio-443-exec-12|2021-06-02 16:04:37.612 CST|SSLContextImpl.java:1076|keyStore is : N/A
javax.net.ssl|FINE|03 11|https-jsse-nio-443-exec-12|2021-06-02 16:04:37.613 CST|SSLContextImpl.java:1077|keyStore type is : pkcs12
javax.net.ssl|FINE|03 11|https-jsse-nio-443-exec-12|2021-06-02 16:04:37.613 CST|SSLContextImpl.java:1079|keyStore provider is : 
javax.net.ssl|FINE|03 11|https-jsse-nio-443-exec-12|2021-06-02 16:04:37.671 CST|SSLEngineOutputRecord.java:266|WRITE: TLS12 application_data, length = 404

I have no idea why there is a N/A keyStore.

CentOS 7 has no default openjdk 9 to install, so I installed openjdk 11, then call my API again.

And the API connected via LDAPS successfully with log:

javax.net.ssl|DEBUG|03 08|https-jsse-nio-443-exec-13|2021-06-01 14:09:14.895 CST|SSLContextImpl.java:1088|keyStore is : 
javax.net.ssl|DEBUG|03 08|https-jsse-nio-443-exec-13|2021-06-01 14:09:14.896 CST|SSLContextImpl.java:1089|keyStore type is : pkcs12
javax.net.ssl|DEBUG|03 08|https-jsse-nio-443-exec-13|2021-06-01 14:09:14.896 CST|SSLContextImpl.java:1091|keyStore provider is : 
javax.net.ssl|ALL|03 08|https-jsse-nio-443-exec-13|2021-06-01 14:09:14.896 CST|SSLContextImpl.java:1126|init keystore
javax.net.ssl|DEBUG|03 08|https-jsse-nio-443-exec-13|2021-06-01 14:09:14.896 CST|SSLContextImpl.java:1149|init keymanager of type SunX509
javax.net.ssl|ALL|03 08|https-jsse-nio-443-exec-13|2021-06-01 14:09:14.897 CST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|03 08|https-jsse-nio-443-exec-13|2021-06-01 14:09:14.897 CST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|03 08|https-jsse-nio-443-exec-13|2021-06-01 14:09:15.091 CST|SSLSocketOutputRecord.java:309|WRITE: TLS12 application_data, length = 52

But I can't just upgrade the JRE version to solve the problem because our server APIs are compatible only with Java 8.

So upgrading Java version, eg. 11, is not our option in short term.

Is there any hints or suggestions to solve this problem?

Thank you in advance.

liny
  • 21
  • 5
  • There are some related posts that may help : https://stackoverflow.com/q/53862236/2529954, https://stackoverflow.com/q/6365209/2529954, https://stackoverflow.com/q/9761575/2529954 – EricLavault Jun 02 '21 at 14:32
  • @EricLavault Thanks for replying, but these posts could not solve the problem. – liny Jun 04 '21 at 03:24

0 Answers0