RE: JNDI ldaps Problem with SSO
Hi Christopher Enclosed is the stacktrace of the tomcat (localhost) 03-Mar-2021 15:57:15.221 SEVERE [http-nio-8080-exec-10] org.apache.catalina.realm.JNDIRealm.authenticate Exception performing authentication javax.naming.NamingException: [LDAP: error code 1 - 04DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; remaining name 'DC=bcintra,DC=CH' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3299) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1655) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1491) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1439) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1380) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1267) at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:193) at org.apache.catalina.authenticator.AuthenticatorBase.doLogin(AuthenticatorBase.java:950) at org.apache.catalina.authenticator.AuthenticatorBase.login(AuthenticatorBase.java:932) at org.apache.catalina.connector.Request.login(Request.java:2674) at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1072) at javax.servlet.http.HttpServletRequestWrapper.login(HttpServletRequestWrapper.java:318) at com.nm.exprlang.functions.LoginFunction.calculate(LoginFunction.java:41) at com.nm.sdk.data.expeval.MethodCallUtils.callScriptFunction(MethodCallUtils.java:207) at com.nm.sdk.data.expeval.nodes.FunctionNode.execute(FunctionNode.java:465) at com.nm.sdk.data.expeval.MethodCallUtils.callScriptFunction(MethodCallUtils.java:153) at com.nm.sdk.data.expeval.nodes.FunctionNode.execute(FunctionNode.java:465) at com.nm.sdk.data.expeval.nodes.ScriptBodyNode.execute(ScriptBodyNode.java:176) at com.nm.exprlang.InterpreterImpl.execute(InterpreterImpl.java:417) at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:384) at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:371) at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:326) at com.nm.sdk.data.pages.views.actions.ExpressionAction.execute(ExpressionAction.java:76) at com.nm.sdk.data.pages.views.components.Component.handleEvent(Component.java:930) at com.nm.sdk.data.pages.views.components.Component.handleEvents(Component.java:898) at com.nm.sdk.data.pages.views.components.Component.process(Component.java:871) at com.nm.sdk.data.pages.views.components.CustomControl.processComponent(CustomControl.java:295) at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872) at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408) at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403) at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872) at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408) at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403) at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872) at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408) at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403) at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872) at com.nm.screenflow.PageServiceImpl.processPageResponse(PageServiceImpl.java:1450) at com.nm.sdk.data.workflow.model.ScreenTask.processHttpRequest(ScreenTask.java:524) at com.nm.workspace.ProcessServlet.processWorkflowToken(ProcessServlet.java:554) at com.nm.workspace.ProcessServlet.processWorkitem(ProcessServlet.java:264) at com.nm.workspace.ProcessServlet.doPost(ProcessServlet.java:134) at javax.servlet.http.HttpServlet.service(HttpServlet.java:648) at
RE: JNDI ldaps Problem with SSO
Hi Christopher
Enclosed is the stacktrace of the tomcat (localhost)
On the DC side we see those messages:
Then we see the same error events like we saw before already with the normal
log level
Internal event: The LDAP server returned an error.
Additional Data
Error value:
0057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap message, data 0,
v2580
Internal event: An LDAP client connection was closed because of an error.
Client IP:
10.189.162.17:51240
Additional Data
Error value:
87 The parameter is incorrect.
Internal ID:
c0c0095
Thank you
Susan
> -Original Message-
> From: Christopher Schultz
> Sent: Donnerstag, 20. Mai 2021 18:37
> To: users@tomcat.apache.org
> Subject: Re: JNDI ldaps Problem with SSO
>
> Susan,
>
> On 5/18/21 16:58, susan.w...@swisscom.com wrote:
> > When we are using plain ldap 3268, all works fine with those settings:
> >
> >
> > Good:
> > > connectionURL="ldap://x..com:3268;
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> > RA,DC=ch "
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> >
> > Its when we want to use ldaps with 3269 its failing:
> > bad:
> >
> > > connectionURL="ldaps://x..com:3269"
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch"
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> >
> > ldapsearch on port 3269 (ldaps) works fine from the same machine, but
> > yes, it's not exactly the same request
> >
> >
> > TEST ~]# ldapsearch -x -D
> > "cn=SA-PF00-Appway,OU=PF00_Appway-
> CoreService,OU=PF00_Appway,OU=PF00_Server,OU=PF00_Res,OU=PF00,dc
> =bcintra,dc=ch" -b "DC=bcintra,DC=ch" -W -H ldaps://bcintra.ch:3269 | more
> Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base with scope subtree # filter: (objectclass=*)
> > # requesting: ALL # Organization, Schema, Configuration, bcintra.ch
> >
> >
> >
> > We think, ssl-handshake is fine but bind is failing. Why?
>
> What is the error you actually get? Can you pleae post the full stack trace
> and not just the message?
>
> -chris
>
>
> >> -Original Message-
> >> From: Christopher Schultz
> >> Sent: Dienstag, 18. Mai 2021 18:02
> >> To: users@tomcat.apache.org
> >> Subject: Re: JNDI ldaps Problem with SSO
> >>
> >> Susan,
> >>
> >> On 5/18/21 09:43, susan.w...@swisscom.com wrote:
> >>> Hi all
> >>>
> >>> apache-tomcat-8.0.36
> >>>
> >>> java version "1.8.0_281"
> >>> Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java
> >>> HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
> >>>
> >>> We are having a problem with our Single sign On config.
> >>> When using ldap - all works well.
> >>>
> >>> When switiching to ldaps , the User loses to connection all together
> >>> (Server not reachable)
> >>>
> >>>
> >>>
> >>> server.xml
> >>>
> >>> Good:
> >>>>>> connectionURL="ldap://x..com:3268;
> >>> userBase="DC=XXXINTRA,DC=CH"
> >>> userSubtree="true"
> >>> userSearch="(sAMAccountName={0})
Re: JNDI ldaps Problem with SSO
Susan,
On 5/18/21 16:58, susan.w...@swisscom.com wrote:
When we are using plain ldap 3268, all works fine with those settings:
Good:
ldap://x..com:3268;
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-
Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
RA,DC=ch "
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
Its when we want to use ldaps with 3269 its failing:
bad:
ldapsearch on port 3269 (ldaps) works fine from the same machine, but yes, it's
not exactly the same request
TEST ~]# ldapsearch -x -D
"cn=SA-PF00-Appway,OU=PF00_Appway-CoreService,OU=PF00_Appway,OU=PF00_Server,OU=PF00_Res,OU=PF00,dc=bcintra,dc=ch"
-b "DC=bcintra,DC=ch" -W -H ldaps://bcintra.ch:3269 | more
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# Organization, Schema, Configuration, bcintra.ch
We think, ssl-handshake is fine but bind is failing. Why?
What is the error you actually get? Can you pleae post the full stack
trace and not just the message?
-chris
-Original Message-
From: Christopher Schultz
Sent: Dienstag, 18. Mai 2021 18:02
To: users@tomcat.apache.org
Subject: Re: JNDI ldaps Problem with SSO
Susan,
On 5/18/21 09:43, susan.w...@swisscom.com wrote:
Hi all
apache-tomcat-8.0.36
java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java HotSpot(TM)
64-Bit Server VM (build 25.281-b09, mixed mode)
We are having a problem with our Single sign On config.
When using ldap - all works well.
When switiching to ldaps , the User loses to connection all together
(Server not reachable)
server.xml
Good:
ldap://x..com:3268;
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-
Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
RA,DC=ch "
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
bad:
Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
RA,DC=ch"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
Connectivity to the DC is fine (ldapsearch with ldaps works), SSL
connection itself seems to be fine, Certificates are fine, we are sending the
trustore as well. All is in the relevant cacerts too.
We have a https Server in Front and a proxy Setting to the tomcat.
/usr/java/latest/bin/java
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/loggi
ng.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxRootCore.jks
-Djavax.net.ssl.trustStorePassword=xx
-Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
-Dnm.data.home=/opt/tomcat/data
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
-classpath
/opt/tomcat/apache-tomcat-
8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
tomcat-8.0.36/bin/tomcat-juli.jar
-Dcatalina.base=/opt/tomcat/tomcat8_appway1
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
org.apache.catalina.startup.Bootstrap start
Domain controller seems to close the connection. The Error is "The
Parameter is incorrect", "The System cannot find the path specified." Its
seems to happen, during the bind process, as if the DC can not decrypt our
tomcat request:
First two events are happening several times. After the last anonymous
bind is entered, the bind exited is done with the appway service account user.
Right after that the error appears.
Internal event: Function ldap_bind entered.
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx:51240
Operation identifier: 894498
Data1:
RE: JNDI ldaps Problem with SSO
Hi Chris
Thank you for your fast reply
When we are using plain ldap 3268, all works fine with those settings:
Good:
ldap://x..com:3268;
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-
Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
RA,DC=ch "
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
Its when we want to use ldaps with 3269 its failing:
bad:
ldapsearch on port 3269 (ldaps) works fine from the same machine, but yes, it's
not exactly the same request
TEST ~]# ldapsearch -x -D
"cn=SA-PF00-Appway,OU=PF00_Appway-CoreService,OU=PF00_Appway,OU=PF00_Server,OU=PF00_Res,OU=PF00,dc=bcintra,dc=ch"
-b "DC=bcintra,DC=ch" -W -H ldaps://bcintra.ch:3269 | more
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# Organization, Schema, Configuration, bcintra.ch
We think, ssl-handshake is fine but bind is failing. Why?
Thank you
Susan
> -Original Message-
> From: Christopher Schultz
> Sent: Dienstag, 18. Mai 2021 18:02
> To: users@tomcat.apache.org
> Subject: Re: JNDI ldaps Problem with SSO
>
> Susan,
>
> On 5/18/21 09:43, susan.w...@swisscom.com wrote:
> > Hi all
> >
> > apache-tomcat-8.0.36
> >
> > java version "1.8.0_281"
> > Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java HotSpot(TM)
> > 64-Bit Server VM (build 25.281-b09, mixed mode)
> >
> > We are having a problem with our Single sign On config.
> > When using ldap - all works well.
> >
> > When switiching to ldaps , the User loses to connection all together
> > (Server not reachable)
> >
> >
> >
> > server.xml
> >
> > Good:
> > > connectionURL="ldap://x..com:3268;
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch "
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> > bad:
> >
> > > connectionURL="ldaps://x..com:3269"
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch"
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> >
> > Connectivity to the DC is fine (ldapsearch with ldaps works), SSL
> connection itself seems to be fine, Certificates are fine, we are sending the
> trustore as well. All is in the relevant cacerts too.
> > We have a https Server in Front and a proxy Setting to the tomcat.
> >
> > /usr/java/latest/bin/java
> > -Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/loggi
> > ng.properties
> > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> > -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxRootCore.jks
> > -Djavax.net.ssl.trustStorePassword=xx
> > -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> > -Dnm.data.home=/opt/tomcat/data
> > -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> > -Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
> > -Djavax.security.auth.useSubjectCredsOnly=false
> > -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> > -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
> &
Re: JNDI ldaps Problem with SSO
Susan,
On 5/18/21 09:43, susan.w...@swisscom.com wrote:
Hi all
apache-tomcat-8.0.36
java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
We are having a problem with our Single sign On config.
When using ldap - all works well.
When switiching to ldaps , the User loses to connection all together (Server
not reachable)
server.xml
Good:
ldap://x..com:3268;
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch
"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
bad:
Connectivity to the DC is fine (ldapsearch with ldaps works), SSL connection
itself seems to be fine, Certificates are fine, we are sending the trustore as
well. All is in the relevant cacerts too.
We have a https Server in Front and a proxy Setting to the tomcat.
/usr/java/latest/bin/java
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxRootCore.jks
-Djavax.net.ssl.trustStorePassword=xx -Djdk.tls.ephemeralDHKeySize=2048
-Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false
-Duser.timezone=Europe/Berlin
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath
/opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
-Dcatalina.base=/opt/tomcat/tomcat8_appway1
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
org.apache.catalina.startup.Bootstrap start
Domain controller seems to close the connection. The Error is "The Parameter is
incorrect", "The System cannot find the path specified." Its seems to happen, during
the bind process, as if the DC can not decrypt our tomcat request:
First two events are happening several times. After the last anonymous bind is
entered, the bind exited is done with the appway service account user. Right
after that the error appears.
Internal event: Function ldap_bind entered.
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx:51240
Operation identifier: 894498
Data1:
Data2: 1004335171
Data3:
Data4:
Internal event: Function ldap_bind exited.
Elapsed time (ms): 0
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335171
Data3: 1004335171
Internal event: Function ldap_bind entered.
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335203
Data3:
Data4:
Internal event: Function ldap_bind exited.
Elapsed time (ms): 0
SID: S-1-5-21-576815021-3137181063-3029416097-6939
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335203
Data3: 1004335203
Then we see the same error events like we saw before already with the normal
log level
Internal event: The LDAP server returned an error.
Additional Data
Error value:
0057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap message, data 0,
v2580
Internal event: An LDAP client connection was closed because of an error.
Client IP:
11.1xx.xxx.xxx::51240
Additional Data
Error value:
87 The parameter is incorrect.
Internal ID:
c0c0095
In the App Log of the tomcat we see:
/opt/tomcat/tomcat8_appway1/logs
localhost.2021-03-22.log
22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2]
org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1]
CompressingFilter is being destroyed...
22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log No Spring
WebApplicationInitializer types detected on classpath
22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1]
CompressingFilter has initialized
22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using policy
access restrictor classpath:/jolokia-access.xml
22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6]
org.apache.catalina.realm.JNDIRealm.authenticate Exception
JNDI ldaps Problem with SSO
Hi all
apache-tomcat-8.0.36
java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
We are having a problem with our Single sign On config.
When using ldap - all works well.
When switiching to ldaps , the User loses to connection all together (Server
not reachable)
server.xml
Good:
ldap://x..com:3268;
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch
"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
bad:
Connectivity to the DC is fine (ldapsearch with ldaps works), SSL connection
itself seems to be fine, Certificates are fine, we are sending the trustore as
well. All is in the relevant cacerts too.
We have a https Server in Front and a proxy Setting to the tomcat.
/usr/java/latest/bin/java
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxRootCore.jks
-Djavax.net.ssl.trustStorePassword=xx -Djdk.tls.ephemeralDHKeySize=2048
-Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false
-Duser.timezone=Europe/Berlin
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath
/opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
-Dcatalina.base=/opt/tomcat/tomcat8_appway1
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
org.apache.catalina.startup.Bootstrap start
Domain controller seems to close the connection. The Error is "The Parameter is
incorrect", "The System cannot find the path specified." Its seems to happen,
during the bind process, as if the DC can not decrypt our tomcat request:
First two events are happening several times. After the last anonymous bind is
entered, the bind exited is done with the appway service account user. Right
after that the error appears.
Internal event: Function ldap_bind entered.
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx:51240
Operation identifier: 894498
Data1:
Data2: 1004335171
Data3:
Data4:
Internal event: Function ldap_bind exited.
Elapsed time (ms): 0
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335171
Data3: 1004335171
Internal event: Function ldap_bind entered.
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335203
Data3:
Data4:
Internal event: Function ldap_bind exited.
Elapsed time (ms): 0
SID: S-1-5-21-576815021-3137181063-3029416097-6939
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335203
Data3: 1004335203
Then we see the same error events like we saw before already with the normal
log level
Internal event: The LDAP server returned an error.
Additional Data
Error value:
0057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap message, data 0,
v2580
Internal event: An LDAP client connection was closed because of an error.
Client IP:
11.1xx.xxx.xxx::51240
Additional Data
Error value:
87 The parameter is incorrect.
Internal ID:
c0c0095
In the App Log of the tomcat we see:
/opt/tomcat/tomcat8_appway1/logs
localhost.2021-03-22.log
22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2]
org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1]
CompressingFilter is being destroyed...
22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log No Spring
WebApplicationInitializer types detected on classpath
22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1]
CompressingFilter has initialized
22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using policy
access restrictor classpath:/jolokia-access.xml
22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6]
org.apache.catalina.realm.JNDIRealm.authenticate Exception performing
authentication
javax.naming.NamingException: [LDAP: error code 1 - 04DC: LdapErr:
Re: JNDI ldaps Problem with SSO
Hello Susan, org.apache.catalina.realm.JNDIRealm used the container log so org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = ALL should give you some more details. By default these logs go to the localhost.-MM-DD.log, if you want to print them in the console you can always change the handler to org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = java.util.logging.ConsoleHandler Depending on your Active Directory configuration you may need to provide connectionName and connectionPassword properties, from [1]: *"When making a connection in order to search the directory and retrieve user and role information, the realm authenticates itself to the directory with the username and password specified by the connectionName and connectionPassword properties. If these properties are not specified the connection is anonymous. This is sufficient in many cases."* Cheers, Luis [1] http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html El jue, 25 feb 2021 a las 18:26, Brian Wolfe () escribió: > Seems there might be some debug you can turn on. I haven't tried it myself. > But Look at this for reference. > https://ldapwiki.com/wiki/Tomcat%20And%20LDAP > > On Thu, Feb 25, 2021 at 11:18 AM wrote: > > > Dear Brian > > > > Thank you for your reply > > > > We can see the successful handshake with the LDAP Server. > > We think, after that, some more data goes back and forth and then the > > connection is closed. We can't see, what is exactly happening - its > TLSv1.3 > > When using ldap with port 3268 - its all good. > > So the search itself seems to be fine. > > > > Only ldaps with port 3269 fails > > > > Is there maybe another debug Option for the ldap? > > > > Thank you > > > > Susan > > > > > > > > > -Original Message- > > > From: Brian Wolfe > > > Sent: Donnerstag, 25. Februar 2021 17:00 > > > To: Tomcat Users List > > > Subject: Re: JNDI ldaps Problem with SSO > > > > > > if you define the truststore on the command line it will ignore the > > cacerts file. > > > Also looks like you're trying to connect to AD over the catalog port. > > > I would suggest using the LDAPS port 636. The GC port is used to search > > > things within the forest that may not be in the domain. small change > but > > > shouldn't cause a connection issue if you're using the catalog port. > > > > > > You shouldn't have to configure any additional SSL stuff on the realm. > > As long > > > as your JNDI url is ldaps it should know to use SSL. Java will > negotiate > > the SSL > > > for you. > > > > > > One thing you can do is turn on SSL debug and look at the negotiation > to > > see > > > if it is negotiating SSL. > > > *-Djavax.net.debug=ssl* > > > You should see it negotiate with the ldap server on startup. You will > > also be > > > able to see the whole SSL handshake and see if it's failing. > > > > > > On Thu, Feb 25, 2021 at 10:35 AM wrote: > > > > > > > Hi Bill > > > > > > > > Thank you for your fast reply > > > > > > > > We are using RHEL7 > > > > > > > > The JAVA is using it's default cacerts which includes all ROOT CA's > of > > > > the LDAP Server. > > > > We also added another Trusstore in the JAVA OPTS of the Tomcat JVM, > > > > which also includes the whole chain of the LDAP Server Cert: > > > > > > > > tomcat 21503 1 2 Feb16 ?05:32:41 > > /usr/java/latest/bin/java > > > > > -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging. > > > > properties > > > > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > > > > -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks > > > > -Djavax.net.ssl.trustStorePassword=xxx > > > > -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities > > > > -Dnm.data.home=/opt/tomcat/data > > > > -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf > > > > -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf > > > > -Djavax.security.auth.useSubjectCredsOnly=false > > > > -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin > > > > -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed > > > > -classpath > > > > /opt/tomcat/apache-tomcat- > > > 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache- > > > >
Re: JNDI ldaps Problem with SSO
Seems there might be some debug you can turn on. I haven't tried it myself. But Look at this for reference. https://ldapwiki.com/wiki/Tomcat%20And%20LDAP On Thu, Feb 25, 2021 at 11:18 AM wrote: > Dear Brian > > Thank you for your reply > > We can see the successful handshake with the LDAP Server. > We think, after that, some more data goes back and forth and then the > connection is closed. We can't see, what is exactly happening - its TLSv1.3 > When using ldap with port 3268 - its all good. > So the search itself seems to be fine. > > Only ldaps with port 3269 fails > > Is there maybe another debug Option for the ldap? > > Thank you > > Susan > > > > > -Original Message- > > From: Brian Wolfe > > Sent: Donnerstag, 25. Februar 2021 17:00 > > To: Tomcat Users List > > Subject: Re: JNDI ldaps Problem with SSO > > > > if you define the truststore on the command line it will ignore the > cacerts file. > > Also looks like you're trying to connect to AD over the catalog port. > > I would suggest using the LDAPS port 636. The GC port is used to search > > things within the forest that may not be in the domain. small change but > > shouldn't cause a connection issue if you're using the catalog port. > > > > You shouldn't have to configure any additional SSL stuff on the realm. > As long > > as your JNDI url is ldaps it should know to use SSL. Java will negotiate > the SSL > > for you. > > > > One thing you can do is turn on SSL debug and look at the negotiation to > see > > if it is negotiating SSL. > > *-Djavax.net.debug=ssl* > > You should see it negotiate with the ldap server on startup. You will > also be > > able to see the whole SSL handshake and see if it's failing. > > > > On Thu, Feb 25, 2021 at 10:35 AM wrote: > > > > > Hi Bill > > > > > > Thank you for your fast reply > > > > > > We are using RHEL7 > > > > > > The JAVA is using it's default cacerts which includes all ROOT CA's of > > > the LDAP Server. > > > We also added another Trusstore in the JAVA OPTS of the Tomcat JVM, > > > which also includes the whole chain of the LDAP Server Cert: > > > > > > tomcat 21503 1 2 Feb16 ?05:32:41 > /usr/java/latest/bin/java > > > -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging. > > > properties > > > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > > > -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks > > > -Djavax.net.ssl.trustStorePassword=xxx > > > -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities > > > -Dnm.data.home=/opt/tomcat/data > > > -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf > > > -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf > > > -Djavax.security.auth.useSubjectCredsOnly=false > > > -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin > > > -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed > > > -classpath > > > /opt/tomcat/apache-tomcat- > > 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache- > > > tomcat-8.0.36/bin/tomcat-juli.jar > > > -Dcatalina.base=/opt/tomcat/tomcat8_appway1 > > > -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36 > > > -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp > > > org.apache.catalina.startup.Bootstrap start > > > > > > Our server.xml only contains the ldap realm and database realm. > > > Could it be, that a ssl config is necessary too? > > > > > > Thank you > > > > > > Susan > > > > > > > -Original Message- > > > > From: Bill Stewart > > > > Sent: Donnerstag, 25. Februar 2021 16:04 > > > > To: Tomcat Users List > > > > Subject: Re: JNDI ldaps Problem with SSO > > > > > > > > On Thu, Feb 25, 2021 at 2:31 AM wrote: > > > > > > > > We are having a problem with our Single sign On config. > > > > > When using ldap - all works well. > > > > > > > > > > When switiching to ldaps , the User loses to connection all > > > > > together (Server not reachable) > > > > > > > > > > server.xml > > > > > > > > > > Good: > > > > > > > > >connectionURL="ldap://x..com:3268; > > > > >userBase="DC=XXXINTRA,DC=CH"
RE: JNDI ldaps Problem with SSO
Dear Brian
Thank you for your reply
We can see the successful handshake with the LDAP Server.
We think, after that, some more data goes back and forth and then the
connection is closed. We can't see, what is exactly happening - its TLSv1.3
When using ldap with port 3268 - its all good.
So the search itself seems to be fine.
Only ldaps with port 3269 fails
Is there maybe another debug Option for the ldap?
Thank you
Susan
> -Original Message-
> From: Brian Wolfe
> Sent: Donnerstag, 25. Februar 2021 17:00
> To: Tomcat Users List
> Subject: Re: JNDI ldaps Problem with SSO
>
> if you define the truststore on the command line it will ignore the cacerts
> file.
> Also looks like you're trying to connect to AD over the catalog port.
> I would suggest using the LDAPS port 636. The GC port is used to search
> things within the forest that may not be in the domain. small change but
> shouldn't cause a connection issue if you're using the catalog port.
>
> You shouldn't have to configure any additional SSL stuff on the realm. As long
> as your JNDI url is ldaps it should know to use SSL. Java will negotiate the
> SSL
> for you.
>
> One thing you can do is turn on SSL debug and look at the negotiation to see
> if it is negotiating SSL.
> *-Djavax.net.debug=ssl*
> You should see it negotiate with the ldap server on startup. You will also be
> able to see the whole SSL handshake and see if it's failing.
>
> On Thu, Feb 25, 2021 at 10:35 AM wrote:
>
> > Hi Bill
> >
> > Thank you for your fast reply
> >
> > We are using RHEL7
> >
> > The JAVA is using it's default cacerts which includes all ROOT CA's of
> > the LDAP Server.
> > We also added another Trusstore in the JAVA OPTS of the Tomcat JVM,
> > which also includes the whole chain of the LDAP Server Cert:
> >
> > tomcat 21503 1 2 Feb16 ?05:32:41 /usr/java/latest/bin/java
> > -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging.
> > properties
> > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> > -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks
> > -Djavax.net.ssl.trustStorePassword=xxx
> > -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> > -Dnm.data.home=/opt/tomcat/data
> > -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> > -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf
> > -Djavax.security.auth.useSubjectCredsOnly=false
> > -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> > -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
> > -classpath
> > /opt/tomcat/apache-tomcat-
> 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
> > tomcat-8.0.36/bin/tomcat-juli.jar
> > -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> > -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> > -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> > org.apache.catalina.startup.Bootstrap start
> >
> > Our server.xml only contains the ldap realm and database realm.
> > Could it be, that a ssl config is necessary too?
> >
> > Thank you
> >
> > Susan
> >
> > > -Original Message-
> > > From: Bill Stewart
> > > Sent: Donnerstag, 25. Februar 2021 16:04
> > > To: Tomcat Users List
> > > Subject: Re: JNDI ldaps Problem with SSO
> > >
> > > On Thu, Feb 25, 2021 at 2:31 AM wrote:
> > >
> > > We are having a problem with our Single sign On config.
> > > > When using ldap - all works well.
> > > >
> > > > When switiching to ldaps , the User loses to connection all
> > > > together (Server not reachable)
> > > >
> > > > server.xml
> > > >
> > > > Good:
> > > > > > >connectionURL="ldap://x..com:3268;
> > > >userBase="DC=XXXINTRA,DC=CH"
> > > >userSubtree="true"
> > > >userSearch="(sAMAccountName={0})"
> > > >userRoleName="memberOf"
> > > >
> > > >
> > > > roleBase="OU=PF00_App-
> > > Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU
> > > > =PF00,DC=XXXINTRA,DC=ch
> > > > "
> > > >roleName="CN"
> > > >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > > >roleSubtree="true"
> > > >
Re: JNDI ldaps Problem with SSO
if you define the truststore on the command line it will ignore the cacerts
file. Also looks like you're trying to connect to AD over the catalog port.
I would suggest using the LDAPS port 636. The GC port is used to search
things within the forest that may not be in the domain. small change but
shouldn't cause a connection issue if you're using the catalog port.
You shouldn't have to configure any additional SSL stuff on the realm. As
long as your JNDI url is ldaps it should know to use SSL. Java will
negotiate the SSL for you.
One thing you can do is turn on SSL debug and look at the negotiation to
see if it is negotiating SSL.
*-Djavax.net.debug=ssl*
You should see it negotiate with the ldap server on startup. You will also
be able to see the whole SSL handshake and see if it's failing.
On Thu, Feb 25, 2021 at 10:35 AM wrote:
> Hi Bill
>
> Thank you for your fast reply
>
> We are using RHEL7
>
> The JAVA is using it's default cacerts which includes all ROOT CA's of the
> LDAP Server.
> We also added another Trusstore in the JAVA OPTS of the Tomcat JVM, which
> also includes the whole chain of the LDAP Server Cert:
>
> tomcat 21503 1 2 Feb16 ?05:32:41 /usr/java/latest/bin/java
> -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks
> -Djavax.net.ssl.trustStorePassword=xxx
> -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> -Dnm.data.home=/opt/tomcat/data
> -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf
> -Djavax.security.auth.useSubjectCredsOnly=false
> -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath
> /opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
> -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> org.apache.catalina.startup.Bootstrap start
>
> Our server.xml only contains the ldap realm and database realm.
> Could it be, that a ssl config is necessary too?
>
> Thank you
>
> Susan
>
> > -Original Message-
> > From: Bill Stewart
> > Sent: Donnerstag, 25. Februar 2021 16:04
> > To: Tomcat Users List
> > Subject: Re: JNDI ldaps Problem with SSO
> >
> > On Thu, Feb 25, 2021 at 2:31 AM wrote:
> >
> > We are having a problem with our Single sign On config.
> > > When using ldap - all works well.
> > >
> > > When switiching to ldaps , the User loses to connection all together
> > > (Server not reachable)
> > >
> > > server.xml
> > >
> > > Good:
> > > > >connectionURL="ldap://x..com:3268;
> > >userBase="DC=XXXINTRA,DC=CH"
> > >userSubtree="true"
> > >userSearch="(sAMAccountName={0})"
> > >userRoleName="memberOf"
> > >
> > >
> > > roleBase="OU=PF00_App-
> > Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU
> > > =PF00,DC=XXXINTRA,DC=ch
> > > "
> > >roleName="CN"
> > >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > >roleSubtree="true"
> > >roleNested="true" />
> > >
> > > bad:
> > >
> > > > >connectionURL="ldaps://x..com:3269"
> > >userBase="DC=XXXINTRA,DC=CH"
> > >userSubtree="true"
> > >userSearch="(sAMAccountName={0})"
> > >userRoleName="memberOf"
> > >
> > > roleBase="OU=PF00_App-
> > Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> > RA,DC=ch"
> > >roleName="CN"
> > >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > >roleSubtree="true"
> > >roleNested="true" />
> > >
> >
> > If you are running Tomcat on Windows, my question is whether the Java
> > running your Tomcat server trusts the Windows certificate store for the
> > secure LDAP.
> >
> > If you are running Tomcat on Windows, try adding the following parameter
> to
> > the Java command line for your application:
> >
> > -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
> >
> > (If you are using procrun which is likely on Windows, this means to go
> to the
> > "Java" tab for the Tomcat service configuration and add the above line
> to the
> > "Java Options" text box.)
> >
> > Bill
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
--
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/
RE: JNDI ldaps Problem with SSO
Hi Bill
Thank you for your fast reply
We are using RHEL7
The JAVA is using it's default cacerts which includes all ROOT CA's of the LDAP
Server.
We also added another Trusstore in the JAVA OPTS of the Tomcat JVM, which also
includes the whole chain of the LDAP Server Cert:
tomcat 21503 1 2 Feb16 ?05:32:41 /usr/java/latest/bin/java
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks
-Djavax.net.ssl.trustStorePassword=xxx -Djdk.tls.ephemeralDHKeySize=2048
-Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false
-Duser.timezone=Europe/Berlin
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath
/opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
-Dcatalina.base=/opt/tomcat/tomcat8_appway1
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
org.apache.catalina.startup.Bootstrap start
Our server.xml only contains the ldap realm and database realm.
Could it be, that a ssl config is necessary too?
Thank you
Susan
> -Original Message-
> From: Bill Stewart
> Sent: Donnerstag, 25. Februar 2021 16:04
> To: Tomcat Users List
> Subject: Re: JNDI ldaps Problem with SSO
>
> On Thu, Feb 25, 2021 at 2:31 AM wrote:
>
> We are having a problem with our Single sign On config.
> > When using ldap - all works well.
> >
> > When switiching to ldaps , the User loses to connection all together
> > (Server not reachable)
> >
> > server.xml
> >
> > Good:
> > >connectionURL="ldap://x..com:3268;
> >userBase="DC=XXXINTRA,DC=CH"
> >userSubtree="true"
> >userSearch="(sAMAccountName={0})"
> >userRoleName="memberOf"
> >
> >
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU
> > =PF00,DC=XXXINTRA,DC=ch
> > "
> >roleName="CN"
> >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >roleSubtree="true"
> >roleNested="true" />
> >
> > bad:
> >
> > >connectionURL="ldaps://x..com:3269"
> >userBase="DC=XXXINTRA,DC=CH"
> >userSubtree="true"
> >userSearch="(sAMAccountName={0})"
> >userRoleName="memberOf"
> >
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch"
> >roleName="CN"
> >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >roleSubtree="true"
> >roleNested="true" />
> >
>
> If you are running Tomcat on Windows, my question is whether the Java
> running your Tomcat server trusts the Windows certificate store for the
> secure LDAP.
>
> If you are running Tomcat on Windows, try adding the following parameter to
> the Java command line for your application:
>
> -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
>
> (If you are using procrun which is likely on Windows, this means to go to the
> "Java" tab for the Tomcat service configuration and add the above line to the
> "Java Options" text box.)
>
> Bill
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI ldaps Problem with SSO
On Thu, Feb 25, 2021 at 2:31 AM wrote:
We are having a problem with our Single sign On config.
> When using ldap - all works well.
>
> When switiching to ldaps , the User loses to connection all together
> (Server not reachable)
>
> server.xml
>
> Good:
> connectionURL="ldap://x..com:3268;
>userBase="DC=XXXINTRA,DC=CH"
>userSubtree="true"
>userSearch="(sAMAccountName={0})"
>userRoleName="memberOf"
>
>
> roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch
> "
>roleName="CN"
>roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
>roleSubtree="true"
>roleNested="true" />
>
> bad:
>
> connectionURL="ldaps://x..com:3269"
>userBase="DC=XXXINTRA,DC=CH"
>userSubtree="true"
>userSearch="(sAMAccountName={0})"
>userRoleName="memberOf"
>
>
> roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch"
>roleName="CN"
>roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
>roleSubtree="true"
>roleNested="true" />
>
If you are running Tomcat on Windows, my question is whether the Java
running your Tomcat server trusts the Windows certificate store for the
secure LDAP.
If you are running Tomcat on Windows, try adding the following parameter to
the Java command line for your application:
-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
(If you are using procrun which is likely on Windows, this means to go to
the "Java" tab for the Tomcat service configuration and add the above line
to the "Java Options" text box.)
Bill
JNDI ldaps Problem with SSO
Hi all
apache-tomcat-8.0.36
java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
We are having a problem with our Single sign On config.
When using ldap - all works well.
When switiching to ldaps , the User loses to connection all together (Server
not reachable)
server.xml
Good:
ldap://x..com:3268;
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch
"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
bad:
Connectivity to the DC is fine (ldapsearch with ldaps works), SSL connection
itself seems to be fine, Certificates are fine, we are sending the trustore as
well. All is in the relevant cacerts too.
We have a https Server in Front and a proxy Setting to the tomcat.
/usr/java/latest/bin/java
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxRootCore.jks
-Djavax.net.ssl.trustStorePassword=xx -Djdk.tls.ephemeralDHKeySize=2048
-Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false
-Duser.timezone=Europe/Berlin
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath
/opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
-Dcatalina.base=/opt/tomcat/tomcat8_appway1
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
org.apache.catalina.startup.Bootstrap start
We do not see a direct Error in the Catalina.out
Domain controller seems to close the connection. The Error is "The Parameter is
incorrect", "The System cannot find the path specified."
What are we missing?
Do I need to configure some SSL Realm in the server.xml as well?
Thank you
Susan Wood
System Engineering
Telefon +41-58-223 70 83
Mobile +41-79-375 34 58
susan.w...@swisscom.com
Swisscom (Schweiz) AG
Business Customers
Solution Center Banking
Ey 10
3063 Ittigen
www.swisscom.com
Postadresse:
Postfach
3050 Bern
