0 Replies Latest reply on Jul 27, 2015 9:10 AM by Timur Kulibaev

    Caused by: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected

    Timur Kulibaev Newbie

      Hello to all !

       

      I use JBoss EAP 6.4.0 and I have successfully setup LDAP-connection to MS Active Directory (port 389) for both http-management and jboss-cli.sh. 

      LDAP-authentication works fine.  But user passwords are travelling between JBoss EAP and MS AD in unencrypted form so my next step is to use LDAP over TLS, port 636. 

      Based on JBoss EAP Security Guide I've loaded all certifcate chain from MS AD using openssl:

       

      openssl s_client -showcerts -connect <LDAP-ip>:636 > cert.pem

      openssl x509 -outform der -in cert.pem -out cert.der

       

      then cert.der was imported to keystore.

       

      the following configuration describes LDAPS-connection:

              ........

              <security-realm name="ldap_security_realm">

                      <server-identities>

                          <ssl>

                              <keystore path="/opt/jboss-eap-6.4.0/jdk1.8.0_51/jre/lib/security/cacerts" keystore-password="changeit" alias="kkb"/>

                          </ssl>

                      </server-identities>

                      <authentication>

                          <ldap connection="ldap_connection" base-dn="DC=kkb,DC=kz" recursive="true">

                              <username-filter attribute="saMAccountName"/>

                          </ldap>

                      </authentication>

                  </security-realm>

              </security-realms>

              <outbound-connections>

                  <ldap name="ldap_connection" url="ldaps://<ldap ip>:636" search-dn="CN=ad_user,OU=AD-Groups,DC=kkb,DC=kz" search-credential="pwd"/>

              </outbound-connections>

              .........

       

      But it errors out

      [31m14:14:09,910 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.ldap_security_realm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.ldap_security_realm.key-manager: Failed to start service

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1936) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_51]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_51]

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_51]

      Caused by: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected

              at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:466) [rt.jar:1.8.0_51]

              at java.security.KeyStore.getEntry(KeyStore.java:1521) [rt.jar:1.8.0_51]

              at org.jboss.as.domain.management.security.JKSKeystore.load(JKSKeystore.java:117)

              at org.jboss.as.domain.management.security.JKSKeyManagerService.start(JKSKeyManagerService.java:100)

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]

              ... 3 more

       

      Man string in error message is:

      Caused by: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected

       

      But i loaded only public certificates which no need to be password-protected.

      Could please to help -  what must be corrected to overcome this error ?

       

      Thank you, Timur Kulibaev.