Hi all,
I have a Java service that does JNDI over SSL. It uses the LDAP classes in a way the pub.client.ldap:* services don’t, so I had to use the Java service.
The Java code is not working when it runs in the IS’ JVM, for the code is not able to use the the trust certs that are in the IS’s trust cert directory.
This is the piece of the code that hands the credentials for the authentication:
...
// the following two statements exist on the standalone JVM version only
System.setProperty("javax.net.ssl.trustStore", "keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "password");
...
try {
env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://" + domain + ".xxxxx.com:636/"); // THIS IS THE DOMAIN CONTROLLER
// create the LDAP context using the properties entered above
ldapContext = new InitialLdapContext(env, null);
// Authenticate using the parameters passed into the function
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, (domain + "\\" + username));
env.put(Context.SECURITY_CREDENTIALS, password);
// Create the DirContext
ctx = new InitialDirContext(env);
// OK, THE PROVIDED CREDENTIALS ARE VALID
rVal = true;
} catch (AuthenticationException authE) {
// :( NOPE - THE CREDENTIALS ARE INVALID
rVal = false;
}
...
Initially, this code, running either on a standalone JVM or on the IS, was throwing SSL certificate errors. After I got the right CA cert installed in the “keystore.jks” keystore, the standalone version started to work. I also installed the cert in the CA Certificate Directory (IS Admin | Security | Certificates), the pub.client.ldap:bind service did not throw cert errors anymore when connecting to “ldaps://” + domain + “.xxxxx.com:636/”, thus proving that the IS now recognizes the DC’s SSL cert.
However, running the code on the IS continues to fail - due to the lack of the CA’s cert. Looks like the Java service is not using the IS’s CA trust key store. And I don’t want to mess the IS JVM’s trust store configuration, because this is a JVM-wide setting. Changing it might potentially break other things. Thus I prefer to use the IS’ “standard” way, which is using the certs the “CA Certs Directory”.
Does anyone who knows how to do this (to make the JNDI call use the certs from the “CA Certs Dir”) ? Provided that the pub.client.ldap:bind service was able to bind using an ldaps protocol, it is possible. Unfortunately, the documentation is completely silent on how to do this…
Any help is greatly appreciated.