Hello to all !

I use JBoss EAP 6.4.0 and I have successfully setup LDAP-connection to MS Active Directory (port 389) for both http-management and jboss-cli.sh. 

LDAP-authentication works fine.  But user passwords are travelling between JBoss EAP and MS AD in unencrypted form so my next step is to use LDAP over TLS, port 636. 

Based on JBoss EAP Security Guide I've loaded all certifcate chain from MS AD using openssl:

openssl s_client -showcerts -connect <LDAP-ip>:636 > cert.pem

openssl x509 -outform der -in cert.pem -out cert.der

then cert.der was imported to keystore.

the following configuration describes LDAPS-connection:

        ........

        <security-realm name="ldap_security_realm">

                <server-identities>

                    <ssl>

                        <keystore path="/opt/jboss-eap-6.4.0/jdk1.8.0_51/jre/lib/security/cacerts" keystore-password="changeit" alias="kkb"/>

                    </ssl>

                </server-identities>

                <authentication>

                    <ldap connection="ldap_connection" base-dn="DC=kkb,DC=kz" recursive="true">

                        <username-filter attribute="saMAccountName"/>

                    </ldap>

                </authentication>

            </security-realm>

        </security-realms>

        <outbound-connections>

            <ldap name="ldap_connection" url="ldaps://<ldap ip>:636" search-dn="CN=ad_user,OU=AD-Groups,DC=kkb,DC=kz" search-credential="pwd"/>

        </outbound-connections>

        .........

But it errors out

[31m14:14:09,910 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.ldap_security_realm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.ldap_security_realm.key-manager: Failed to start service

        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1936) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_51]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_51]

        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_51]

Caused by: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected

        at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:466) [rt.jar:1.8.0_51]

        at java.security.KeyStore.getEntry(KeyStore.java:1521) [rt.jar:1.8.0_51]

        at org.jboss.as.domain.management.security.JKSKeystore.load(JKSKeystore.java:117)

        at org.jboss.as.domain.management.security.JKSKeyManagerService.start(JKSKeyManagerService.java:100)

        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]

        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]

        ... 3 more

Man string in error message is:

Caused by: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected

But i loaded only public certificates which no need to be password-protected.

Could please to help -  what must be corrected to overcome this error ?

Thank you, Timur Kulibaev.