81,092
社区成员
发帖
与我相关
我的任务
分享LDAP认证
最近使用LDAP遇到如下一个问题
将服务器的证书导入到/lib/security/cacerts
在Java Application中使用lDAP可以正常认证。
但是在websphere中使用相同的代码进行认证时,返回如下错误:
javax.naming.CommunicationException: simple bind failed: 10.200.144.176:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=W03S1BNKDCS06, DC=reg3, DC=uat1bank, DC=dbs, DC=com is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error]
......
将证书导入到WAS的JRE的证书集cacerts中,认证,还是一样的错
不知有没有人有遇到相似的错误
将服务器的证书导入到/lib/security/cacerts
在Java Application中使用lDAP可以正常认证。
但是在websphere中使用相同的代码进行认证时,返回如下错误:
javax.naming.CommunicationException: simple bind failed: 10.200.144.176:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=W03S1BNKDCS06, DC=reg3, DC=uat1bank, DC=dbs, DC=com is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error]
......
将证书导入到WAS的JRE的证书集cacerts中,认证,还是一样的错
不知有没有人有遇到相似的错误
...全文
请发表友善的回复…
发表回复
铁匠梁 2011-11-10
- 打赏
- 举报
最近刚刚做过测试,需要给ws部署使用到 根证书 + 用户证书,然后通过LDAP ssl访问AD域中的用户信息,路过AD允许修改,还能修改用户信息。
简要说说过程:
1.搭建AD服务器
2.搭建CA证书服务器
3.搭建IIS服务器,给其他人颁发证书使用(生成根证书 + 用户证书)
4.在WS侧生成证书库,即导入根证书 + 用户证书文件
5.使用生成的正式库访问AD域中账号信息
简要说说过程:
1.搭建AD服务器
2.搭建CA证书服务器
3.搭建IIS服务器,给其他人颁发证书使用(生成根证书 + 用户证书)
4.在WS侧生成证书库,即导入根证书 + 用户证书文件
5.使用生成的正式库访问AD域中账号信息
liuyan5499 2011-11-10
- 打赏
- 举报
楼主,请问您解决了吗?我也遇到同样的问题,苦恼呀,跪求答案!
jiminsc 2011-11-03
- 打赏
- 举报
没办法,求助-_-||
什么都不能 2011-11-02
- 打赏
- 举报
你的证书是CA颁发的吗?
kouyiSC 2011-11-02
- 打赏
- 举报
[Quote]
附录:故障诊断
1.如果您在测试一个集成服务时看到以下错误消息,这个集成服务试图在一个远程 WebSphere Application Server 上托管的队列上放置一条消息或从中获取一条消息,那么您必须将 LTPA 密匙从 WebSphere Lombardi Edition 服务器导出并将其导入 WebSphere Application Server。 >> SERVER (id=4773e3aa, host=satishm) TRACE START:
>> org.omg.CORBA.NO_PERMISSION: Validation of LTPA token failed due to
invalid keys or token type. vmcid: 0x49424000 minor code: 300 completed: No
>> at com.ibm.ISecurityLocalObjectBaseL13Impl.PrincipalAuthFailReason.
map_auth_fail_to_minor_code(PrincipalAuthFailReason.java:88)
>> at com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRIBase.
authenticateSecurityTokens(CSIServerRIBase.java:4486)
>> at com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRI.
receive_request(CSIServerRI.java:615)
>> at com.ibm.rmi.pi.InterceptorManager.invokeInterceptor
(InterceptorManager.java:624)
>> at com.ibm.rmi.pi.InterceptorManager.iterateServerInterceptors
(InterceptorManager.java:528)
>> at com.ibm.rmi.pi.InterceptorManager.iterateReceiveRequest
(InterceptorManager.java:770)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler
(ServerDelegate.java:611)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:475)
>> at com.ibm.rmi.iiop.ORB.process(ORB.java:513)
>> at com.ibm.CORBA.iiop.ORB.process(ORB.java:1574)
>> at com.ibm.rmi.iiop.Connection.respondTo(Connection.java:2841)
>> at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2714)
>> at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:63)
>> at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:118)
>> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550)
>> SERVER (id=4773e3aa, host=satishm) TRACE END.
2.如果您看到以下错误,那么您需要导入客户端上的服务器证书。 CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E:
javax.net.ssl.SSLHandshakeException - The client and server could not
negotiate the desired level of security. Reason: com.ibm.jsse2.util.g:
PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by
CN=192.168.0.100, OU=Root Certificate, OU=qcell, OU=qnode, O=IBM,
C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
3.如果您看到 Connection timed out 错误,那么重新启动远程 WebSphere Application Server,再次尝试。 Connection timed out: connect
[/Quote]
附录:故障诊断
1.如果您在测试一个集成服务时看到以下错误消息,这个集成服务试图在一个远程 WebSphere Application Server 上托管的队列上放置一条消息或从中获取一条消息,那么您必须将 LTPA 密匙从 WebSphere Lombardi Edition 服务器导出并将其导入 WebSphere Application Server。 >> SERVER (id=4773e3aa, host=satishm) TRACE START:
>> org.omg.CORBA.NO_PERMISSION: Validation of LTPA token failed due to
invalid keys or token type. vmcid: 0x49424000 minor code: 300 completed: No
>> at com.ibm.ISecurityLocalObjectBaseL13Impl.PrincipalAuthFailReason.
map_auth_fail_to_minor_code(PrincipalAuthFailReason.java:88)
>> at com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRIBase.
authenticateSecurityTokens(CSIServerRIBase.java:4486)
>> at com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRI.
receive_request(CSIServerRI.java:615)
>> at com.ibm.rmi.pi.InterceptorManager.invokeInterceptor
(InterceptorManager.java:624)
>> at com.ibm.rmi.pi.InterceptorManager.iterateServerInterceptors
(InterceptorManager.java:528)
>> at com.ibm.rmi.pi.InterceptorManager.iterateReceiveRequest
(InterceptorManager.java:770)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler
(ServerDelegate.java:611)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:475)
>> at com.ibm.rmi.iiop.ORB.process(ORB.java:513)
>> at com.ibm.CORBA.iiop.ORB.process(ORB.java:1574)
>> at com.ibm.rmi.iiop.Connection.respondTo(Connection.java:2841)
>> at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2714)
>> at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:63)
>> at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:118)
>> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550)
>> SERVER (id=4773e3aa, host=satishm) TRACE END.
2.如果您看到以下错误,那么您需要导入客户端上的服务器证书。 CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E:
javax.net.ssl.SSLHandshakeException - The client and server could not
negotiate the desired level of security. Reason: com.ibm.jsse2.util.g:
PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by
CN=192.168.0.100, OU=Root Certificate, OU=qcell, OU=qnode, O=IBM,
C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
3.如果您看到 Connection timed out 错误,那么重新启动远程 WebSphere Application Server,再次尝试。 Connection timed out: connect
[/Quote]
jiminsc 2011-11-02
- 打赏
- 举报
[Quote=引用 3 楼 pirates_fish 的回复:]
[/Quote]@_____________@
[/Quote]@_____________@
pirates_fish 2011-11-02
- 打赏
- 举报
jiminsc 2011-11-02
- 打赏
- 举报
证书是LDAP服务器上生成的,是cer文件,我已经导入cacerts证书集文件
jiminsc 2011-11-02
- 打赏
- 举报
[Quote=引用 5 楼 kouyisc 的回复:]
引用
附录:故障诊断
2.如果您看到以下错误,那么您需要导入客户端上的服务器证书。 CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E:
javax.net.ssl.SSLHandshakeException - The client and server could not
negotiate the desired level of security. Reason: com.ibm.jsse2.util.g:
PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by
CN=192.168.0.100, OU=Root Certificate, OU=qcell, OU=qnode, O=IBM,
C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[/Quote]
这一个错跟我的挺像的,就是报“证书不认可”,只是,websphere下部署的WEB应用,导入cer证书正确做法是怎样的
下面是连接LDAP的代码
下面是配置项
LDAP_IP=10.200.144.176:636
LDAP_ADDRESS=reg3.uat1bank.dbs.com
LDAP_KEYSTORE=/usr/java5_64/jre/lib/security/cacerts
#换成WAS目录的cacerts依旧不行
LDAP_SearchBASE=DC=reg3,DC=uat1bank,DC=dbs,DC=com
之前已经通过keytool 将LDAP服务器的证书导入到cacerts
引用
附录:故障诊断
2.如果您看到以下错误,那么您需要导入客户端上的服务器证书。 CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E:
javax.net.ssl.SSLHandshakeException - The client and server could not
negotiate the desired level of security. Reason: com.ibm.jsse2.util.g:
PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by
CN=192.168.0.100, OU=Root Certificate, OU=qcell, OU=qnode, O=IBM,
C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[/Quote]
这一个错跟我的挺像的,就是报“证书不认可”,只是,websphere下部署的WEB应用,导入cer证书正确做法是怎样的
下面是连接LDAP的代码
public static boolean checkLdap2(String uid, String pwd) {
int totalResults = 0;
Hashtable env = new Hashtable();
String address = Constants.ldapaddress;
String keystore = Constants.keystore;
String searchBase = Constants.searchBase;
String ip = Constants.ip;
System.out.println("ldapaddress = [" + address + "]");
System.out.println("searchBase = [" + searchBase + "]");
System.out.println("ip = [" + ip + "]");
System.out.println("keystore = [" + keystore + "]");
String adminName = uid + "@" + address;
String adminPassword = pwd;
String ldapURL = "ldaps://" + ip;
System.setProperty("javax.net.ssl.trustStore", keystore);
env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
env.put("java.naming.security.authentication", "simple");
env.put("java.naming.security.principal", adminName);
env.put("java.naming.security.credentials", adminPassword);
env.put("java.naming.security.protocol", "ssl");
env.put("java.naming.provider.url", ldapURL);
DirContext ctx = null;
try {
ctx = new InitialLdapContext(env, null);
log.info("认证成功");
System.out.println("认证成功");
} catch (AuthenticationException e) {
log.error("认证失败", e);
} catch (Exception e) {
log.error("认证出错:", e);
}
if (ctx != null) {
try {
ctx.close();
return true;
} catch (NamingException localNamingException) {
log.error("认证异常", localNamingException);
}
}
return false;
}
下面是配置项
LDAP_IP=10.200.144.176:636
LDAP_ADDRESS=reg3.uat1bank.dbs.com
LDAP_KEYSTORE=/usr/java5_64/jre/lib/security/cacerts
#换成WAS目录的cacerts依旧不行
LDAP_SearchBASE=DC=reg3,DC=uat1bank,DC=dbs,DC=com
之前已经通过keytool 将LDAP服务器的证书导入到cacerts
