# java -version
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.1) (Gentoo build 1.6.0_24-b24)
OpenJDK Client VM (build 20.0-b12, mixed mode)
I guess that would be:
/etc/java-config-2/current-system-vm/jre/lib/security/cacerts
So I'd need to add the CA and only the CA cert to this file?
I'd run something like:
keytool -import -alias root -keystore
/etc/java-config-2/current-system-vm/jre/lib/security/cacerts -storepass
${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file
${OM_TMP_DIR}/root.crt
However, I have no experience whatsoever in this field and I currently don't
know what to use as the keystore password (or maybe it should be left blank).
So if you suggest to put the CA in the global store, does it mean that
JAVA_OPTS="-Djavax.net.ssl.keyStore="
is not enough?
Vieri
--- On Wed, 5/8/13, Maxim Solodovnik <[email protected]> wrote:
> I guess you need to add your CA to
> java (global one)
>
>
> On Wed, May 8, 2013 at 2:39 PM, Vieri <[email protected]>
> wrote:
>
> > Hi,
> >
> > From the same machine where OM is installed I can run
> the following
> > command:
> >
> > # ldapsearch -x -D "[email protected]"
> -b "cn=Users,dc=domain,dc=org" -H
> > ldaps://ldapserver.domain.org -W sAMAccountName=aduser
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> > -----------------
> >
> > However, if I setup OM to authenticate users via
> LDAP/SSL I'm getting the
> > error reported at the end of this e-mail (LDAP without
> SSL works fine).
> >
> > My om_ldap.cfg is as follows:
> >
> > ldap_server_type=OpenLDAP
> > ldap_conn_url=ldaps://ldapserver.domain.org:636
> > ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org
> > ldap_passwd=secret
> > ldap_search_base=CN:Users,DC:domain,DC:org
> > field_user_principal=sAMAccountName
> > ldap_auth_type=SIMPLE
> > ldap_sync_password_to_om=no
> > ldap_user_attr_lastname=sn
> > ldap_user_attr_firstname=givenName
> > ldap_user_attr_mail=mail
> > ldap_user_attr_street=streetAddress
> > ldap_user_attr_additionalname=description
> > ldap_user_attr_fax=facsimileTelephoneNumber
> > ldap_user_attr_zip=postalCode
> > ldap_user_attr_country=co
> > ldap_user_attr_town=l
> > ldap_user_attr_phone=telephoneNumber
> > ldap_user_picture_uri=wWWHomePage
> > ldap_use_lower_case=false
> > ldap_user_groups=memberOf
> >
> > Before running OM I export:
> >
> OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> >
> >
> OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> >
> JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE}
> >
> -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}
> >
> -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE}
> >
> -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}"
> >
> > I'm using a self-signed certificate in my LDAP server
> (Active Directory).
> > Here's how I generated it:
> > selfssl.exe
> /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825"
> > run mmc and open the LOCAL COMPUTER
> Personal certificate store. The cert
> > should already be there.
> > Copy it within mmc to the "Trusted
> root authorities"
> > Export the certificate from the
> trusted root store within mmc as pfx
> > file and name it ldapserver.pfx
> (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE})
> >
> > Finally, on the OM machine I configured the truststore
> this way:
> >
> >
> OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> > rm -f $OM_J_TRUSTSTORE
> > keytool -validity 7300 -keysize 2048 -genkey -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA
> -keystore
> > ${OM_J_TRUSTSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname
> "${OPENMEETINGS_JAVA_DN}"
> > openssl pkcs12 -passin pass:"" -passout pass:"" -in
> > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out
> > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes
> > openssl x509 -in
> ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem
> > -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
> -outform der
> > keytool -import -alias root -keystore
> ${OM_J_TRUSTSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts
> -file
> > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
> >
> > and the keystore (used for https):
> >
> >
> OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> > rm -f ${OM_J_KEYSTORE}
> > keytool -validity 7300 -keysize 2048 -genkey -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA
> -keystore ${OM_J_KEYSTORE}
> > -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> -keypass
> > ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname
> "${OPENMEETINGS_JAVA_DN}"
> > keytool -certreq -keyalg RSA -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > -file
> ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr
> -keystore
> > ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > # > Now submit
> ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to
> > custom CA and self-sign the certificate:"
> > # - the signed certificate is copied to
> > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt"
> > # - the CA root certificate is copied to
> ${OM_TMP_DIR}/root.crt"
> > keytool -import -alias root -keystore ${OM_J_KEYSTORE}
> -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts
> -file
> > ${OM_TMP_DIR}/root.crt
> > keytool -import -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > -trustcacerts -file
> ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt
> > cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen
> >
> > If I list the keystores:
> >
> > # keytool -list -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> >
> > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > Creation date: Feb 21, 2013
> > Entry type: PrivateKeyEntry
> > Certificate chain length: 2
> > Certificate[1]:
> > Owner: CN=openmeetings.domain.org, OU=IT, O=domain,
> L=City, ST=State,
> > C=COUNTRY
> > Issuer: [email protected],
> CN=MYORG1 Signing Authority,
> > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > Serial number: 1
> > Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb
> 20 09:57:44 CET
> > 2018
> > Certificate fingerprints:
> > MD5:
> 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF
> > SHA1:
> FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56
> > Signature algorithm
> name: SHA1withRSA
> > Version: 3
> >
> > Extensions:
> >
> > #1: ObjectId: 2.5.29.14 Criticality=false
> > SubjectKeyIdentifier [
> > KeyIdentifier [
> > 0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98
> D2 2F C4 88 1D ...l....I.../...
> > 0010: 1F 45 73 78
> > ]
> > ]
> >
> > #2: ObjectId: 2.5.29.19 Criticality=false
> > BasicConstraints:[
> > CA:false
> > PathLen: undefined
> > ]
> >
> > #3: ObjectId: 2.5.29.35 Criticality=false
> > AuthorityKeyIdentifier [
> > KeyIdentifier [
> > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> A9 E2 33 AE 70 ..g......]...3.p
> > 0010: 56 EF AB 51
>
> V..Q
> > ]
> >
> > ]
> >
> > #4: ObjectId: 2.5.29.18 Criticality=false
> > IssuerAlternativeName [
> > RFC822Name: [email protected]
> > ]
> >
> > #5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
> >
> > #6: ObjectId: 2.5.29.17 Criticality=false
> > SubjectAlternativeName [
> > DNSName: openmeetings
> > DNSName: openmeetings.domain.org
> > ]
> >
> > Certificate[2]:
> > Owner: [email protected],
> CN=MYORG1 Signing Authority,
> > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > Issuer: [email protected],
> CN=MYORG1 Signing Authority,
> > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > Serial number: 0
> > Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb
> 13 09:48:02 CET
> > 2048
> > Certificate fingerprints:
> > MD5:
> 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> > SHA1:
> 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85
> > Signature algorithm
> name: SHA1withRSA
> > Version: 3
> >
> > Extensions:
> >
> > #1: ObjectId: 2.5.29.15 Criticality=false
> > KeyUsage [
> > Key_CertSign
> > Crl_Sign
> > ]
> >
> > #2: ObjectId: 2.5.29.14 Criticality=false
> > SubjectKeyIdentifier [
> > KeyIdentifier [
> > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> A9 E2 33 AE 70 ..g......]...3.p
> > 0010: 56 EF AB 51
>
> V..Q
> > ]
> > ]
> >
> > #3: ObjectId: 2.5.29.31 Criticality=false
> > CRLDistributionPoints [
> > [DistributionPoint:
> > [URIName: http://domain.org/cert/crl.crl]
> > ]]
> >
> > #4: ObjectId: 2.5.29.19 Criticality=false
> > BasicConstraints:[
> > CA:true
> > PathLen:2147483647
> > ]
> >
> > #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
> > NetscapeCertType [
> > SSL CA
> > S/MIME CA
> > ]
> >
> > #6: ObjectId: 2.5.29.35 Criticality=false
> > AuthorityKeyIdentifier [
> > KeyIdentifier [
> > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> A9 E2 33 AE 70 ..g......]...3.p
> > 0010: 56 EF AB 51
>
> V..Q
> > ]
> >
> > [[email protected],
> CN=MYORG1 Signing Authority, OU=ORG IT,
> > O=MYORG, ST=State, C=COUNTRY]
> > SerialNumber: [ 00]
> > ]
> >
> > #7: ObjectId: 2.5.29.18 Criticality=false
> > IssuerAlternativeName [
> > RFC822Name: [email protected]
> > ]
> >
> > #8: ObjectId: 2.5.29.17 Criticality=false
> > SubjectAlternativeName [
> > RFC822Name: [email protected]
> > ]
> >
> >
> > # keytool -list -alias root -keystore ${OM_J_KEYSTORE}
> -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> >
> > root, Feb 21, 2013, trustedCertEntry,
> > Certificate fingerprint (MD5):
> > 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> >
> >
> >
> > And now for the trust store:
> >
> > # keytool -list -alias root -keystore
> ${OM_J_TRUSTSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> > Alias name: root
> > Creation date: May 7, 2013
> > Entry type: trustedCertEntry
> >
> > Owner: CN=LDAPSERVER.DOMAIN.ORG
> > Issuer: CN=LDAPSERVER.DOMAIN.ORG
> > Serial number: -76629fd860703546b57165ba54276ec2
> > Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun
> May 14 19:07:45 CEST
> > 2017
> > Certificate fingerprints:
> > MD5:
> ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE
> > SHA1:
> 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29
> > Signature algorithm
> name: SHA1withRSA
> > Version: 3
> >
> > Extensions:
> >
> > #1: ObjectId: 2.5.29.15 Criticality=false
> > KeyUsage [
> > DigitalSignature
> > Key_Encipherment
> > Data_Encipherment
> > ]
> >
> > #2: ObjectId: 2.5.29.37 Criticality=false
> > ExtendedKeyUsages [
> > serverAuth
> > ]
> >
> > # keytool -list -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > ${OM_J_TRUSTSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> >
> > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > Creation date: May 7, 2013
> > Entry type: PrivateKeyEntry
> > Certificate chain length: 1
> > Certificate[1]:
> > Owner: CN=openmeetings.domain.org, OU=IT,
> O=MyCompanyOrg, L=City,
> > ST=State, C=COUNTRY
> > Issuer: CN=openmeetings.domain.org, OU=IT,
> O=MyCompanyOrg, L=City,
> > ST=State, C=COUNTRY
> > Serial number: 5188f626
> > Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon
> May 02 14:40:06 CEST
> > 2033
> > Certificate fingerprints:
> > MD5:
> C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F
> > SHA1:
> D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC
> > Signature algorithm
> name: SHA1withRSA
> > Version: 3
> >
> >
> > When an LDAP user tries to log into OM, the log show
> the following
> > messages:
> >
> > DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242
> 117
> > org.apache.openmeetings.ldap.LdapAuthBase
> [NioProcessor-19] -
> >
> > Authentification to LDAP - Server start
> > DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244
> 151
> > org.apache.openmeetings.ldap.LdapAuthBase
> [NioProcessor-19] -
> > loginToLdapServer
> > ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278
> 123
> > org.apache.openmeetings.ldap.LdapAuthBase
> [NioProcessor-19] -
> >
> > Authentification on LDAP Server failed : simple bind
> failed:
> > ldapserver.domain.org:636
> > ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294
> 124
> > org.apache.openmeetings.ldap.LdapAuthBase
> [NioProcessor-19] -
> > [Authentification on LDAP Server failed]
> > javax.naming.CommunicationException: simple bind
> failed:
> > ldapserver.domain.org:636
> > at
> com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
> > ~[na:1.6.0_24]
> > at
> >
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> > ~[na:1.6.0_24]
> > at
> >
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> > ~[na:1.6.0_24]
> > at
> >
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> > ~[na:1.6.0_24]
> > at
> >
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> > ~[na:1.6.0_24]
> > at
> >
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> > ~[na:1.6.0_24]
> > at
> >
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
> > ~[na:1.6.0_24]
> > at
> javax.naming.InitialContext.init(InitialContext.java:240)
> > ~[na:1.6.0_24]
> > at
> javax.naming.InitialContext.<init>(InitialContext.java:214)
> > ~[na:1.6.0_24]
> > at
> >
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
> > ~[na:1.6.0_24]
> > at
> >
> org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161)
> > ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> > at
> >
> org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119)
> > ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> > at
> >
> org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422)
> > [openmeetings-2.1.1-SNAPSHOT.jar:na]
> > at
> >
> org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333)
> > [openmeetings-2.1.1-SNAPSHOT.jar:na]
> > at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > ~[na:1.6.0_24]
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > ~[na:1.6.0_24]
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > ~[na:1.6.0_24]
> > at
> java.lang.reflect.Method.invoke(Method.java:616)
> ~[na:1.6.0_24]
> > at
> >
> org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196)
> > [red5.jar:na]
> > at
> >
> org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115)
> > [red5.jar:na]
> > at
> >
> org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157)
> > [red5.jar:na]
> > at
> >
> org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399)
> > [red5.jar:na]
> > at
> >
> org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130)
> > [red5.jar:na]
> > at
> >
> org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164)
> > [red5.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124)
> > [red5.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> > [na:1.6.0_24]
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> > [na:1.6.0_24]
> > at
> java.lang.Thread.run(Thread.java:679) [na:1.6.0_24]
> > Caused by: javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path
> building failed:
> >
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find
> > valid certification path to requested target
> > at
> sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
> > ~[na:1.6.0_24]
> > at
> >
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> > ~[na:1.6.0_24]
> > at
> >
> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
> > ~[na:1.6.0_24]
> > ... 55 common
> frames omitted
> > Caused by: sun.security.validator.ValidatorException:
> PKIX path building
> > failed:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> > to find valid certification path to requested target
> > at
> >
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
> > ~[na:1.6.0_24]
> > at
> sun.security.validator.Validator.validate(Validator.java:235)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
> > ~[na:1.6.0_24]
> > ... 67 common
> frames omitted
> > Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid certification path to requested
> target
> > at
> >
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
> > ~[na:1.6.0_24]
> > at
> >
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
> > ~[na:1.6.0_24]
> > ... 73 common
> frames omitted
> >
> > How can I solve the "unable to find valid certification
> path" issue? What
> > does it refer to exactly?
> >
> > I can correctly connect to https://openmeetings.domain.org/openmeetings/but
> > the
> LDAPS authentication/login is failing.
> >
> > My ldapsearch example at the beginning succeeded
> probably because I have
> > 'TLS_REQCERT never' in ldap.conf. Is there a way to
> "loosen up" OM/java as
> > far as self-signed certs are concerned?
> >
> > Thanks,
> >
> > Vieri
> >
> >
>
>
> --
> WBR
> Maxim aka solomax
>
