1 Reply Latest reply on Nov 28, 2012 9:05 AM by Mohamed Ali Dhifallah

    Connecting GateIn with Active Directory using secure connection

    Dhanya Sreejith Newbie

      hiiiii..

       

           

            I got the following execption when I connected GateIn with Active Directory using secure connection. I exported the certificate from exchange server and generated truststore from corresponding certificate and configured idm-configuration.xml and picketlink-idm-msad-readonly-config.xml files

       

      example of configuration for SSL:

       

      <option>
                  <name>customSystemProperties</name>
                      <value>javax.net.ssl.trustStore=C:/msad.truststore</value>
                      <value>javax.net.ssl.trustStorePassword=G12$</value>
         </option>   

       

      The stacktrace is as follows :

       

      javax.net.ssl.

      SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      10:25:36,839 SEVERE [FallbackIdentityStoreRepository] Failed to find IdentityObject in target store:
      org.picketlink.idm.common.exception.IdentityException: Could not obtain LDAP connection:
          at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.getLDAPContext(LDAPIdentityStoreImpl.java:4233)
           at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.searchIdentityObjects(LDAPIdentityStoreImpl.java:3861)
          at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:676)
           at org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository.findIdentityObject(FallbackIdentityStoreRepository.java:646)
          at org.picketlink.idm.impl.api.session.managers.PersistenceManagerImpl.findUser(PersistenceManagerImpl.java:426)
           at org.exoplatform.services.organization.idm.UserDAOImpl.getPopulatedUser(UserDAOImpl.java:785)
          at org.exoplatform.services.organization.idm.UserDAOImpl.findUserByName(UserDAOImpl.java:309)
          at org.exoplatform.services.organization.OrganizationDatabaseInitializer.createUsers(OrganizationDatabaseInitializer.java:161)
           at org.exoplatform.services.organization.OrganizationData     baseInitializer.init(OrganizationDatabaseInitializer.java:76)
          at org.exoplatform.services.organization.BaseOrganizationService.start(BaseOrganizationService.java:83)
           at org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl.start(PicketLinkIDMOrganizationServiceImpl.java:104)
          at sun.reflect.GeneratedMethodAccessor348.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
          at org.exoplatform.container.LifecycleVisitor.traverse(LifecycleVisitor.java:100)
          at org.exoplatform.container.LifecycleVisitor.start(LifecycleVisitor.java:170)
           at org.exoplatform.container.ConcurrentPicoContainer.start(ConcurrentPicoContainer.java:554)
          at org.exoplatform.container.ExoContainer.start(ExoContainer.java:266)
          at org.exoplatform.container.PortalContainer.start(PortalContainer.java:667)
           at org.exoplatform.container.ExoContainer.start(ExoContainer.java:254)
          at org.exoplatform.container.RootContainer.createPortalContainer(RootContainer.java:399)
          at org.exoplatform.container.RootContainer.createPortalContainers(RootContainer.java:287)
           at org.exoplatform.container.web.PortalContainerCreator$2.run(PortalContainerCreator.java:74)
          at org.exoplatform.container.web.PortalContainerCreator$2.run(PortalContainerCreator.java:71)
          at org.exoplatform.commons.utils.SecurityHelper.doPrivilegedAction(SecurityHelper.java:291)
           at org.exoplatform.container.web.PortalContainerCreator.contextInitialized(PortalContainerCreator.java:70)
          at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3910)
          at org.apache.catalina.core.StandardContext.start(StandardContext.java:4393)

        • 1. Re: Connecting GateIn with Active Directory using secure connection
          Mohamed Ali Dhifallah Newbie

          There is a microsoft limitation: password can't be set in AD via unsecured connection.

          You have to use the ldaps protocol, to use LDAPS protocol with Active Directory:

          Add Active Directory Certificate Services role  and export root certificate     c:\>certutil -ca.cert root.cer (like youd did)

           

          install right certificate for DC machine and enable Java VM to use certificate from AD.

          Import root CA used in AD, to keystore,  (~/.keystore)

           

          set java options JAVA_OPTS="${JAVA_OPTS}

            -Djavax.net.ssl.trustStorePassword=changeit

            -Djavax.net.ssl.trustStore=cacerts_path"

          While cacerts_path is the path to your keystore (C:/msad.truststore) and 'changeit' is the keystore password. (in you case 'G12$')

          You can do that in setenv.sh/seten.bat

           

          That approche is based on options passed to the JVM.

           

          You can try yours but make sure you're using picketlink-idm-msad-config.xml file instead of picketlink-idm-msad-readonly-config.xml you used.