Java service (JNDI over SSL) using IS 7.2.1. trust certs

Hi all,

I have a Java service that does JNDI over SSL. It uses the LDAP classes in a way the pub.client.ldap:* services don’t, so I had to use the Java service.

The Java code is not working when it runs in the IS’ JVM, for the code is not able to use the the trust certs that are in the IS’s trust cert directory.

This is the piece of the code that hands the credentials for the authentication:


		...
		// the following two statements exist on the standalone JVM version only
		System.setProperty("javax.net.ssl.trustStore", "keystore.jks");
		System.setProperty("javax.net.ssl.trustStorePassword", "password");
		...
		try {
			env = new Hashtable();
			env.put(Context.INITIAL_CONTEXT_FACTORY,
					"com.sun.jndi.ldap.LdapCtxFactory");
			env.put(Context.PROVIDER_URL, "ldaps://" + domain + ".xxxxx.com:636/"); // THIS IS THE DOMAIN CONTROLLER
			// create the LDAP context using the properties entered above
			ldapContext = new InitialLdapContext(env, null);
			// Authenticate using the parameters passed into the function
			env.put(Context.SECURITY_AUTHENTICATION, "simple");
			env.put(Context.SECURITY_PRINCIPAL, (domain + "\\" + username));
			env.put(Context.SECURITY_CREDENTIALS, password);
			// Create the DirContext
			ctx = new InitialDirContext(env);

			// OK, THE PROVIDED CREDENTIALS ARE VALID
			rVal = true;

		} catch (AuthenticationException authE) {
			// :( NOPE - THE CREDENTIALS ARE INVALID
			rVal = false;
		}
...

Initially, this code, running either on a standalone JVM or on the IS, was throwing SSL certificate errors. After I got the right CA cert installed in the “keystore.jks” keystore, the standalone version started to work. I also installed the cert in the CA Certificate Directory (IS Admin | Security | Certificates), the pub.client.ldap:bind service did not throw cert errors anymore when connecting to “ldaps://” + domain + “.xxxxx.com:636/”, thus proving that the IS now recognizes the DC’s SSL cert.

However, running the code on the IS continues to fail - due to the lack of the CA’s cert. Looks like the Java service is not using the IS’s CA trust key store. And I don’t want to mess the IS JVM’s trust store configuration, because this is a JVM-wide setting. Changing it might potentially break other things. Thus I prefer to use the IS’ “standard” way, which is using the certs the “CA Certs Directory”.

Does anyone who knows how to do this (to make the JNDI call use the certs from the “CA Certs Dir”) ? Provided that the pub.client.ldap:bind service was able to bind using an ldaps protocol, it is possible. Unfortunately, the documentation is completely silent on how to do this…

Any help is greatly appreciated.

The pub.client.ldap service sets the socket factory to an internal value which is configured to use the CA certs file. Not something that is documented or supported with external code.

The recommended way to do this is to import the CA certificate of your LDAP server into the IS JVM cacerts files using keytool.

tbond,

Thanks for the reply.

After reviewing the IS code, I found a typo in one of the pub.client.ldap:bind’s ldapEnv variables. After fixing, it worked. Therefore, no need to use a ‘handcrafted’ Java service.

Regards,
Feng