Caused by: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
tkulibaev Jul 27, 2015 9:10 AMHello to all !
I use JBoss EAP 6.4.0 and I have successfully setup LDAP-connection to MS Active Directory (port 389) for both http-management and jboss-cli.sh.
LDAP-authentication works fine. But user passwords are travelling between JBoss EAP and MS AD in unencrypted form so my next step is to use LDAP over TLS, port 636.
Based on JBoss EAP Security Guide I've loaded all certifcate chain from MS AD using openssl:
openssl s_client -showcerts -connect <LDAP-ip>:636 > cert.pem
openssl x509 -outform der -in cert.pem -out cert.der
then cert.der was imported to keystore.
the following configuration describes LDAPS-connection:
........
<security-realm name="ldap_security_realm">
<server-identities>
<ssl>
<keystore path="/opt/jboss-eap-6.4.0/jdk1.8.0_51/jre/lib/security/cacerts" keystore-password="changeit" alias="kkb"/>
</ssl>
</server-identities>
<authentication>
<ldap connection="ldap_connection" base-dn="DC=kkb,DC=kz" recursive="true">
<username-filter attribute="saMAccountName"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ldap_connection" url="ldaps://<ldap ip>:636" search-dn="CN=ad_user,OU=AD-Groups,DC=kkb,DC=kz" search-credential="pwd"/>
</outbound-connections>
.........
But it errors out
[31m14:14:09,910 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.ldap_security_realm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.ldap_security_realm.key-manager: Failed to start service
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1936) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_51]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_51]
Caused by: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:466) [rt.jar:1.8.0_51]
at java.security.KeyStore.getEntry(KeyStore.java:1521) [rt.jar:1.8.0_51]
at org.jboss.as.domain.management.security.JKSKeystore.load(JKSKeystore.java:117)
at org.jboss.as.domain.management.security.JKSKeyManagerService.start(JKSKeyManagerService.java:100)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]
... 3 more
Man string in error message is:
Caused by: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
But i loaded only public certificates which no need to be password-protected.
Could please to help - what must be corrected to overcome this error ?
Thank you, Timur Kulibaev.