I'm cutting and pasting this from notes on how I got this to work including my complete section on how to get and save the certificates in the right place. I was writing it up so that others could repeat what I did without having to ask me question so it may give too many details or read funny - like a how to manual etc.
>From Setting up LDAP Setup -- SSL Notes: In the sslConfig bean the credentialConfig property should have a bean that correctly references your ldap certificate that will need to be a trusted Java certificate. The trustCertificates should be a path to the certificate you saved earlier. It needs to start with file: and give the complete file path or start with classpath: and give the path from the classpath. >From Notes on Troubleshooting LDAP Issues : To get CAS working with a SSL connection to the LDAP you will have to save the LDAP certificate and import it into your Java security keystore as a trusted cert. If you do not have easy access to this certificate there is a well known Java util that can be used for this. It is called InstallCert and you can get the Java code from google.code. The current link is: https://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java This was created by a college student and adopted by Sun, although the original Sun blog post about this was deleted. So using you favorite editor copy and paste the code into a file called InstallCert.java and put that file in a directory structure matching the package declaration (./com/aw/ad/util). Then you can simple compile the code from the commandline with: javac ./com/aw/ad/util/InstallCert.java. Next run with the command: java com.aw.ad.util.InstallCert host: port. This will see that the certificate is missing and list all the missing certificates in a numbered list asking you to enter the number of any you want to save. Enter 1 - or the number shown -- and the key will be saved into a keystore in the directory you are in. Now the cert is saved in a keystore called jssecacerts in your current directory. The next step will be to export this cert into a file. The file can be used with JXplorer - a free LDAP testing tool --to test your SSL LDAP connection values, and can be imported into the java security keystore. Export the cert by using the keytool. The command is keytool.exe -export -alias certName -keystore jssecacerts -file certname.crt. You will be prompted for the keystore password, which is changeit by default. Next if you want to verify your LDAP connection values with JXplorer start JXplorer and go to Security and on the sub menu select "Trusted Servers and CAs". Then a new form will pop up. On this form select "Add Certificate". You will then be given a new form where you can browse to the file you saved. Select it and click okay. When the certificate shows up on this list you can verify your LDAP SSL connection values. Finally, to get Java to trust the certifcate import the certifiacte file using keytool to your Java security keystore as a trusted cert. The syntax needed is: keytool.exe -import -trustedcacerts -alias certName -file path\to\cert\certName.crt -keystore Java\jre7\lib\security\cacerts When prompted as to whether or not to trust the certificate type 'y'. Now The SSL cert will be accepted by CAS, and you should have verified the connection values needed. So if you can connect to the ldap correctly with JXPlorer, and have the certificate installed for SSL if applicable, but are still having a problem, then try turning up logging to see if you can find the issue. Try setting the logging for ldaptive to DEBUG until you have ldap working in CAS. This is done by adding or editing the ldaptive entry in your log4j.xml file located in WEB-INF/classes directory of the CAS4.0 webapp. <logger name="org.ldaptive" additivity="true"> <level value="DEBUG" /> <appender-ref ref="cas" /> </logger> If extra logging yields no help, you can check the CAS Troubleshooting guide: http://jasig.github.io/cas/installation/Troubleshooting-Guide.html Specifically, the section called "When all else fails" may be helpful. From: Zac Harvey [mailto:[email protected]] Sent: Tuesday, June 17, 2014 4:57 PM To: [email protected] Subject: [cas-user] CAS: LDAP/AD Config for 4.0 Using CAS 4.0 and authenticating against ActiveDirectory. In my spring-configuration/deployerConfigContext.xml, I have the following bean: <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig"> <property name="credentialConfig"> <bean class="org.ldaptive.ssl.X509CredentialConfig" p:trustCertificates="mycert" /> </property> </bean> What should the value of X509CredentialConfig's trustCertificates property be? "mycert" is the name of the key alias I get when I issue the following command on the app's keystore: keytool -list -keystore mycas.jks Am I using this correctly or does the value need to be something else? Thanks in advance! -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
