Keith Wall created QPID-7160:
--------------------------------
Summary: No X509TrustManager implementation available when using
truststore captured by SiteSpecificTrustStore
Key: QPID-7160
URL: https://issues.apache.org/jira/browse/QPID-7160
Project: Qpid
Issue Type: Bug
Components: Java Broker
Reporter: Keith Wall
Priority: Minor
I am testing the Java Broker with ApacheDS as an authentication provider. I
find secure connections to the Directory secured with a self signed certificate
fail if the truststore was captured using {{SiteSpecificTrustStore}}. If I
upload the truststore as a PEM, the exception does not occur.
Keystore for ApacheDS was generated like so:
{{keytool -genkey -keyalg RSA -alias selfsigned -keystore apacheds.jks
-storepass password -validity 360 -keysize 2048}}
Truststore captured by pointing SiteSpecificTrustStore at
https://localhost:10636
Alternative approach (that works), export the PEM from the ApacheDS UI, then
import into Java Broker as NonJavaTrustStore.
{noformat}
2016-03-23 22:49:14,464 WARN [HttpManagement-myhttps-150]
(o.a.q.s.s.a.m.SimpleLDAPAuthenticationManagerImpl) - SASL Authentication
Exception
javax.naming.CommunicationException: simple bind failed: Oslo.local:10636
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
~[na:1.8.0_45]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) ~[na:1.8.0_45]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[na:1.8.0_45]
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
~[na:1.8.0_45]
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
~[na:1.8.0_45]
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
~[na:1.8.0_45]
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
~[na:1.8.0_45]
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
~[na:1.8.0_45]
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
~[na:1.8.0_45]
at javax.naming.InitialContext.init(InitialContext.java:244)
~[na:1.8.0_45]
at javax.naming.InitialContext.<init>(InitialContext.java:216)
~[na:1.8.0_45]
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
~[na:1.8.0_45]
at
org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.createInitialDirContext(SimpleLDAPAuthenticationManagerImpl.java:344)
~[classes/:na]
at
org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.getNameFromId(SimpleLDAPAuthenticationManagerImpl.java:491)
~[classes/:na]
at
org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.access$100(SimpleLDAPAuthenticationManagerImpl.java:72)
~[classes/:na]
at
org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl$SimpleLDAPPlainCallbackHandler.handle(SimpleLDAPAuthenticationManagerImpl.java:448)
~[classes/:na]
at
org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:83)
[classes/:na]
at
org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.evaluateSaslResponse(SaslServlet.java:217)
[classes/:na]
at
org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.doPostWithSubjectAndActor(SaslServlet.java:135)
[classes/:na]
at
org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:118)
[classes/:na]
at
org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:114)
[classes/:na]
at java.security.AccessController.doPrivileged(Native Method)
[na:1.8.0_45]
at javax.security.auth.Subject.doAs(Subject.java:422) [na:1.8.0_45]
at
org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doWithSubjectAndActor(AbstractServlet.java:215)
[classes/:na]
at
org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doPost(AbstractServlet.java:112)
[classes/:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
[geronimo-servlet_3.0_spec-1.0.jar:1.0]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
[geronimo-servlet_3.0_spec-1.0.jar:1.0]
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1496)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.apache.qpid.server.management.plugin.filter.ForbiddingAuthorisationFilter.doFilter(ForbiddingAuthorisationFilter.java:90)
[classes/:na]
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.apache.qpid.server.management.plugin.filter.ForbiddingTraceFilter.doFilter(ForbiddingTraceFilter.java:65)
[classes/:na]
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.apache.qpid.server.management.plugin.filter.LoggingFilter.doFilter(LoggingFilter.java:70)
[classes/:na]
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter.doFilter(ExceptionHandlingFilter.java:56)
[classes/:na]
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at org.eclipse.jetty.server.Server.handle(Server.java:370)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
[jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
[jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
[jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
[jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
[jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
[jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
[jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
Caused by: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No X509TrustManager implementation
available
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
~[na:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
~[na:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
~[na:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
~[na:1.8.0_45]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
~[na:1.8.0_45]
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
~[na:1.8.0_45]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
~[na:1.8.0_45]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
~[na:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
~[na:1.8.0_45]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
~[na:1.8.0_45]
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:916)
~[na:1.8.0_45]
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
~[na:1.8.0_45]
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
~[na:1.8.0_45]
at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
~[na:1.8.0_45]
at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
~[na:1.8.0_45]
at com.sun.jndi.ldap.Connection.run(Connection.java:851) ~[na:1.8.0_45]
... 1 common frames omitted
Caused by: java.security.cert.CertificateException: No X509TrustManager
implementation available
at
sun.security.ssl.DummyX509TrustManager.checkServerTrusted(SSLContextImpl.java:1119)
~[na:1.8.0_45]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
~[na:1.8.0_45]
... 12 common frames omitted
{noformat}
config.json snippet:
{noformat}
"authenticationproviders" : [ {
"id" : "fba490fc-3329-4a2d-90db-4add4e050ba3",
"name" : "myldap",
"type" : "SimpleLDAP",
"bindWithoutSearch" : false,
"providerAuthUrl" : "ldaps://Oslo.local:10636",
"providerUrl" : "ldaps://Oslo.local:10636",
"searchContext" : "ou=people,o=sevenSeas",
"searchFilter" : "(uid={0})",
"searchPassword" : "secret",
"searchUsername" : "uid=admin,ou=system ",
"trustStore" : "apacheds_sniff",
"lastUpdatedBy" : "admin",
"lastUpdatedTime" : 1458773319290,
"createdBy" : null,
"createdTime" : 0
}
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
