Hi Scott, thanks for your help. The certificate is not signed commercially and I have added the certificate to my JVM's cacerts file according to http://www.ja-sig.org/wiki/display/CASUM/Demo
keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts My ldap server is actually a Microsoft Active Directory (WIndows 2003 Server). It accepts connections on port 389 and 636 (tested with telnet). But actually I'm not sure if ssl is really supported, so I tried connecting to it without ssl but I got following exception: 2008-01-15 10:26:52,582 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas].[cas]] - <Servlet.service() for servlet cas threw exception> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece This is my configuration without the ssl option: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd";> <beans> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> <property name="httpClient" ref="httpClient" /> </bean> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="uid=%u" /> <property name="searchBase" value="cn=Users,dc=test,dc=net" /> <property name="contextSource" ref="contextSource" /> <property name="ignorePartialResultException" value="yes" /> </bean> </list> </property> </bean> <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="password" value="{123}"/> <property name="pooled" value="true" /> <property name="urls"> <list> <value>ldap://test.net:389/</value> </list> </property> <property name="userName" value="{cn=myuser,cn=Users,dc=test,dc=net}"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean> </beans> Thanks for your help, Sarah scott_battaglia wrote: > > Sarah, > > Is it a commercially signed certificate? If not, make sure its in the > JVM's > cacerts file so that it can trust it. Also, make sure your LDAP server is > accepting SSL connections. > > -Scott > > On Jan 14, 2008 6:41 AM, Sara_Abasi <[EMAIL PROTECTED]> wrote: > >> >> Hi >> i`m newbie in LDAP with SLL. >> My problem is, i connect in server LDAP from my web application and do >> the >> authentication by LDAP with SSL. >> when i enter user name and password throws this exception: >> >> 2008-01-14 15:04:52,074 ERROR >> [org.apache.catalina.core.ContainerBase >> .[Catalina].[localhost].[/cas].[cas]] >> - <Servlet.service() for servlet cas threw exception> >> java.io.EOFException: SSL peer shut down incorrectly >> at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java >> :333) >> at >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java >> :723) >> at >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake( >> SSLSocketImpl.java:1030) >> at >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java >> :622) >> at >> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java >> :59) >> at java.io.BufferedOutputStream.flushBuffer( >> BufferedOutputStream.java:65) >> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java >> :123) >> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390) >> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334) >> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192) >> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637) >> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java >> :175) >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs( >> LdapCtxFactory.java:193) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java >> :136) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) >> at javax.naming.spi.NamingManager.getInitialContext( >> NamingManager.java:667) >> at javax.naming.InitialContext.getDefaultInitCtx( >> InitialContext.java:247) >> at javax.naming.InitialContext.init(InitialContext.java:223) >> at javax.naming.ldap.InitialLdapContext.<init>( >> InitialLdapContext.java:134) >> at >> org.springframework.ldap.support.LdapContextSource.getDirContextInstance( >> LdapContextSource.java:59) >> at >> org.springframework.ldap.support.AbstractContextSource.createContext( >> AbstractContextSource.java:193) >> at >> org.springframework.ldap.support.AbstractContextSource.getReadOnlyContext( >> AbstractContextSource.java:104) >> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java >> :263) >> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java >> :314) >> at >> >> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal >> (BindLdapAuthenticationHandler.java:70) >> at >> >> org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.authenticate >> (AbstractUsernamePasswordAuthenticationHandler.java:58) >> at >> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate( >> AuthenticationManagerImpl.java:79) >> at >> org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket( >> CentralAuthenticationServiceImpl.java:282) >> at >> org.jasig.cas.web.flow.AuthenticationViaFormAction.submit( >> AuthenticationViaFormAction.java:116) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java >> :39) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke( >> DelegatingMethodAccessorImpl.java:25) >> at java.lang.reflect.Method.invoke(Method.java:585) >> at >> org.springframework.webflow.util.DispatchMethodInvoker.invoke( >> DispatchMethodInvoker.java:103) >> at >> org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java >> :136) >> at >> org.springframework.webflow.action.AbstractAction.execute( >> AbstractAction.java:203) >> at >> org.springframework.webflow.engine.AnnotatedAction.execute( >> AnnotatedAction.java:142) >> at >> org.springframework.webflow.engine.ActionExecutor.execute( >> ActionExecutor.java:61) >> at >> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java >> :180) >> at org.springframework.webflow.engine.State.enter(State.java:200) >> at >> org.springframework.webflow.engine.Transition.execute(Transition.java:229) >> at >> org.springframework.webflow.engine.TransitionableState.onEvent( >> TransitionableState.java:112) >> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) >> at >> >> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent >> (RequestControlContextImpl.java:207) >> at >> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java >> :185) >> at org.springframework.webflow.engine.State.enter(State.java:200) >> at >> org.springframework.webflow.engine.Transition.execute(Transition.java:229) >> at >> org.springframework.webflow.engine.TransitionableState.onEvent( >> TransitionableState.java:112) >> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) >> at >> >> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent >> (RequestControlContextImpl.java:207) >> at >> org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent( >> FlowExecutionImpl.java:214) >> at >> org.springframework.webflow.executor.FlowExecutorImpl.resume( >> FlowExecutorImpl.java:238) >> at >> >> org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest >> (FlowRequestHandler.java:115) >> at >> >> org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal >> (FlowController.java:170) >> at >> org.springframework.web.servlet.mvc.AbstractController.handleRequest( >> AbstractController.java:153) >> at >> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle( >> SimpleControllerHandlerAdapter.java:48) >> at >> org.springframework.web.servlet.DispatcherServlet.doDispatch( >> DispatcherServlet.java:819) >> at >> org.springframework.web.servlet.DispatcherServlet.doService( >> DispatcherServlet.java:754) >> at >> org.springframework.web.servlet.FrameworkServlet.processRequest( >> FrameworkServlet.java:399) >> at >> org.springframework.web.servlet.FrameworkServlet.doPost( >> FrameworkServlet.java:364) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >> at >> org.jasig.cas.web.init.SafeDispatcherServlet.service( >> SafeDispatcherServlet.java:115) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >> ApplicationFilterChain.java:269) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter( >> ApplicationFilterChain.java:188) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke( >> StandardWrapperValve.java:210) >> at >> org.apache.catalina.core.StandardContextValve.invoke( >> StandardContextValve.java:174) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java >> :127) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java >> :117) >> at >> org.apache.catalina.core.StandardEngineValve.invoke( >> StandardEngineValve.java:108) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java >> :151) >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) >> at >> >> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection >> (Http11BaseProtocol.java:665) >> at >> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket( >> PoolTcpEndpoint.java:528) >> at >> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt( >> LeaderFollowerWorkerThread.java:81) >> at >> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( >> ThreadPool.java:685) >> at java.lang.Thread.run(Thread.java:595) >> >> this is my deployConfigContext.xml >> >> <?xml version="1.0" encoding="UTF-8"?> >> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" >> "http://www.springframework.org/dtd/spring-beans.dtd";> >> <!-- >> | deployerConfigContext.xml centralizes into one file some of the >> declarative configuration that >> | all CAS deployers will need to modify. >> | >> | This file declares some of the Spring-managed JavaBeans that >> make >> up a >> CAS deployment. >> | The beans declared in this file are instantiated at context >> initialization time by the Spring >> | ContextLoaderListener declared in web.xml. It finds this file >> because >> this >> | file is among those declared in the context parameter >> "contextConfigLocation". >> | >> | By far the most common change you will need to make in this file >> is to >> change the last bean >> | declaration to replace the default >> SimpleTestUsernamePasswordAuthenticationHandler with >> | one implementing your approach for authenticating usernames and >> passwords. >> +--> >> <beans> >> >> <!-- >> | This bean declares our AuthenticationManager. The >> CentralAuthenticationService service bean >> | declared in applicationContext.xml picks up this >> AuthenticationManager >> by reference to its id, >> | "authenticationManager". Most deployers will be able to >> use the default >> AuthenticationManager >> | implementation and so do not need to change the class of >> this bean. We >> include the whole >> | AuthenticationManager here in the >> userConfigContext.xmlso that you can >> see the things you will >> | need to change in context. >> +--> >> <bean id="authenticationManager" >> class=" >> org.jasig.cas.authentication.AuthenticationManagerImpl"> >> <!-- >> | This is the List of >> CredentialToPrincipalResolvers that identify what >> Principal is trying to authenticate. >> | The AuthenticationManagerImpl considers them in >> order, finding a >> CredentialToPrincipalResolver which >> | supports the presented credentials. >> | >> | AuthenticationManagerImpl uses these resolvers >> for two purposes. >> First, it uses them to identify the Principal >> | attempting to authenticate to CAS /login . In >> the default >> configuration, it is the DefaultCredentialsToPrincipalResolver >> | that fills this role. If you are using some >> other kind of credentials >> than UsernamePasswordCredentials, you will need to replace >> | DefaultCredentialsToPrincipalResolver with a >> CredentialsToPrincipalResolver that supports the credentials you are >> | using. >> | >> | Second, AuthenticationManagerImpl uses these >> resolvers to identify a >> service requesting a proxy granting ticket. >> | In the default configuration, it is the >> HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. >> | You will need to change this list if you are >> identifying services by >> something more or other than their callback URL. >> +--> >> <property name="credentialsToPrincipalResolvers"> >> <list> >> <!-- >> | >> UsernamePasswordCredentialsToPrincipalResolver supports the >> UsernamePasswordCredentials that we use for /login >> | by default and produces >> SimplePrincipal instances conveying the >> username from the credentials. >> | >> | If you've changed your >> LoginFormAction to use credentials other than >> UsernamePasswordCredentials then you will also >> | need to change this bean >> declaration (or add additional declarations) >> to declare a CredentialsToPrincipalResolver that supports the >> | Credentials you are using. >> +--> >> <bean >> >> class=" >> org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver >> " >> /> >> <!-- >> | >> HttpBasedServiceCredentialsToPrincipalResolver supports >> HttpBasedCredentials. It supports the CAS 2.0 approach of >> | authenticating services by SSL >> callback, extracting the callback URL >> from the Credentials and representing it as a >> | SimpleService identified by that >> callback URL. >> | >> | If you are representing services >> by something more or other than an >> HTTPS URL whereat they are able to >> | receive a proxy callback, you >> will need to change this bean >> declaration (or add additional declarations). >> +--> >> <bean >> >> class=" >> org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver >> " >> /> >> </list> >> </property> >> >> <!-- >> | Whereas CredentialsToPrincipalResolvers identify >> who it is some >> Credentials might authenticate, >> | AuthenticationHandlers actually authenticate >> credentials. Here we >> declare the AuthenticationHandlers that >> | authenticate the Principals that the >> CredentialsToPrincipalResolvers >> identified. CAS will try these handlers in turn >> | until it finds one that both supports the >> Credentials presented and >> succeeds in authenticating. >> +--> >> <property name="authenticationHandlers"> >> <list> >> <!-- >> | This is the authentication >> handler that authenticates services by >> means of callback via SSL, thereby validating >> | a server side SSL certificate. >> +--> >> <bean >> >> class=" >> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler >> "> >> <property >> name="httpClient" >> ref="httpClient" /> >> </bean> >> >> <!-- >> | This is the authentication >> handler declaration that every CAS >> deployer will need to change before deploying CAS >> | into production. The default >> SimpleTestUsernamePasswordAuthenticationHandler authenticates >> UsernamePasswordCredentials >> | where the username equals the >> password. You will need to replace >> this with an AuthenticationHandler that implements your >> | local authentication strategy. >> You might accomplish this by coding a >> new such handler and declaring >> | >> edu.someschool.its.cas.MySpecialHandler here, or you might use one of >> the handlers provided in the adaptors modules. >> +--> >> >> >> <bean >> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> >> <property name="filter" >> value="uid=%u" /> >> <property name="searchBase" >> value="cn=Users,dc=z,dc=z" /> >> <property name="contextSource" >> ref="contextSource" /> >> <property name="ignorePartialResultException" >> value="yes" /> >> </bean> >> </list> >> </property> >> </bean> >> <bean id="contextSource" >> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> >> <property name="password" value="{11111}"/> >> <property name="pooled" value="true" /> >> <property name="urls"> >> <list> >> <value>ldaps://irisad.net/</value> >> </list> >> </property> >> <property name="userName" value="{cn=aa,cn=Users,dc=z,dc=z}"/> >> <property name="baseEnvironmentProperties"> >> <map> >> <entry> >> <key> >> <value>java.naming.security.protocol</value> >> </key> >> <value>ssl</value> >> </entry> >> <entry> >> <key> >> <value>java.naming.security.authentication</value> >> </key> >> <value>simple</value> >> </entry> >> <entry> >> <key> >> <value>java.naming.referral</value> >> </key> >> <value>follow</value> >> </entry> >> </map> >> </property> >> </bean> >> </beans> >> >> thanks. >> -- >> View this message in context: >> http://www.nabble.com/SSLHandshakeException-when-try-connect-LDAP-tp14799522p14799522.html >> Sent from the CAS Users mailing list archive at Nabble.com. >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> > > > > -- > -Scott Battaglia > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- View this message in context: http://www.nabble.com/SSLHandshakeException-when-try-connect-LDAP-tp14799522p14833046.html Sent from the CAS Users mailing list archive at Nabble.com. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
