We are still encountering the problem detailed below that was described by Steve over a year ago. Is there anyone that can provide some insight on how we can solve this problem? What happens is that some of our applications must run 24x7 yet the user certificates are changed every 90 days (or sooner based on other criteria). When the certificates are changed while the applications are running we get the INVALID_CREDENTIALS error. We were able to solve this problem on C++ using the "ldap_unbind_s(); ldapssl_shutdown();" API calls (ldapssl_shutdown() was provided with the LDAP C SDK 6.x). As Steve points out there doesn't seem to be a way to do this with the Java LDAP SDK. After looking at the code the problem seems to be with a singleton that is used as the JSS or libjss.so layer that is keeping the credentials from being re-read. But a modification to the code would be difficult because the entire design of JSS is based on this singleton. How do other applications that run 24x7 deal with the problem with certificates changing while they are running? Is there any active development being done on the Java LDAP SDK that is currently as version 4.17 and has been for several years? Is there any active development being done on JSS and libjss.so? We need to use the JSSSocketFactor() provided by JSS because we need to use the same type of certificates between the Java and C++ code. JSSESocketFactory() provided by Java used PKCS12 or JKS keys. We have looked at the Java version of OpenLDAP but it appears to be a wrapper around the JSSESocketFactory. Thanks for any info you can provide. david. > This is sort of a follow-on to Mike's message of last Sept. 12. > It, and Bug 352673 discussion, led us to be able to have our > applications handle new certificates being created while the apps are > running. We detect the INVALID_CREDENTIALS error and call: > ldap_unbind_s() > ldapssl_shutdown() (which calls SSL_ClearSessionCache() and > NSS_Shutdown()) > ...and re-initialize, and everybody's happy - in our C++ world. > ____________________ > > Now we need to accomplish the same thing in our Java apps, but .can't seem to make them let go of and re-fetch certificates. > We connect with: > jsf = new JSSSocketFactory(certDir) > conn = new LDAPConnection(jsf) > conn.connect() > conn.authenticate(), using EXTERNAL mechanism > After re-creating certificates while running, on the > INVALID_CREDENTIALS error, we call: > connection.disconnect() > (which calls LDAPConnThread::deregister() and thus > sendUnbindRequest() ) > SSLServerSocket.clearSessionCache() > ...and re-initialize as in the beginning. > But, we continue to get INVALID_CREDENTIALS errors. > I'm guessing we're not cleaning up enough before re-initializing, > but don't know what else to try (e.g. can't find a Java handle to an > NSS_Shutdown() call, as in C) > Thanks for any help. > Steve ===================== David Hinz 720-858-4334 S75 / A1715H _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
