Rundeck failed ldaps 636 authetication with MS LDAP - authentication

Unable to authenticate with laps (636) with MS Ldap.
Rundeck installed in Ubuntu 20.04. Version APIVERSION : 41, BUILD : 4.7.0-20221006
Thank you for the help.
-Follow https://docs.rundeck.com/docs/administration/security/authentication.html#ldap
-Open a question on google groups named "Rundeck how to do a Microsoft LDAP authetication test"
-Restarted rundeckd service after every jaas file change.

Delete the -Djavax.net.ssl.trustStore=/etc/rundeck/ssl/truststore parameter in the rundeckd file, that's not needed if you already added the cert to the java cacert file.
With that parameter, rundeck tries to find the cert in the truststore file, not in the java cacert.

Related

CAS server - can't acces CAS address after the copy of the war file generated in /var/lib/tomcat9/webapps/

I am currently setting up a CAS server in a local network which will have to authenticate users belonging to ldap directories so that they can then connect to a web server.
A Windows Server 2019 Active Directory is the gateway to the WAN.
Environment:
Windows Server 2019 with Active Directory and DHCP, routing and DNS installed which make the link between the WAN and the LAN; IP: 192.168.100.10
LDAP Server on Centos 7 on the LAN registred on the Active Directory (no ssl certificate generated); IP: 192.168.100.50
CAS Server on Debian 11 on the LAN (no ssl certificate generated for tomcat and cas); IP: 192.168.100.101
All pinging between each other;
I'm following this process to install and configure the cas server:
https://www.esup-portail.org/wiki/pages/viewpage.action?pageId=972292097
This is my build.gradle configuration file:
build.gradle
This is my cas.properties configuration file:
cas.properties
After the copy of the war file generated in /var/lib/tomcat9/webapps/; i restart tomcat9 service.
The problem is that i can't access the cas address:
erreur_acces_site
When i check the status of Tomcat service, i got this error:
error_tomcat_service_status
Can anyone enlighten me? I can't see what's going wrong.
Moreover, if someone has a detailed procedure, which describes the environment and the prerequisites, recent and educational to install a CAS server for Centos 7, I am strongly interested
Thank you in advance!
When I remove the CAS dependencies in build.gradle and LDAP authentication config in cas.properties, I can access the CAS login screen.

Tomcat is not picking up the keystore

I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore

Enabling TLS in NiFi

I enabled TLS in NiFi by running the below command,
nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/bin/tls-toolkit.sh standalone -n "{my-ip},localhost" -C 'CN={my-ip}' -C 'CN=localhost' -o ./certs
This created the files required for TLS under the directory certs.
I moved the files under the directory certs into the conf folder of the deployment in my machine.
Installed the certificate to my machine's Keychain Access.
Now started the server using bin/nifi.sh start. My server starts, I am able to hit the server, But my request is not authorized.
I am getting the below error,
Not authorized for the requested resource. Contact the system
administrator.
Once TLS is enabled in Apache NiFi, anonymous access is no longer enabled by default. You will need to authenticate as a user in order to access the UI/API. There are three authentication mechanisms available -- client certificates, LDAP, or Kerberos. Once you configure an Initial Admin Identity in $NIFI_HOME/conf/authorizers.xml (this would be the exact CN of the client certificate you issued in the TLS Toolkit command), that user can authenticate and use the user management tools in NiFi to add additional users.
You can find more information in the NiFi Admin Guide. Bryan Bende has also written a detailed walkthrough of the process.
One note about the command you posted above -- I am not sure what your desired output is, but the command is issuing a server certificate for my-ip and another for hostname, but then two client certificates with those DNs as well. In general, you want a server certificate for hostname (possibly with a SAN entry for my-ip), and a client certificate with a DN like CN=alopresto, OU=Apache NiFi.
For example:
./bin/tls-toolkit.sh standalone
-n 'nifi.nifi.apache.org'
--subjectAlternativeNames '123.234.234.123'
-C 'CN=alopresto, OU=Apache NiFi'
-P password
-S password
-B password
-f ...conf/nifi.properties
-o ...conf/

TeamCity and Mercurial https

I try to connect from TeamCity to Mercurial repository over https.
But I can't, because appears error:
stderr: abort: error: _ssl.c:577: error: 14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
How can I disable sertificate verification by TeamCity?
Or how I can workaround this?
I have tried to load sertificate from IE and past it in cer file of Mercurial, but it is not resolve my issue.
I resolve my issue, only after put mercurial.ini in catalog C:\Windows\System32\config\systemprofile.
Editing of .hgrc not take effect. Only putting mercurial.ini in C:\Windows\System32\config\systemprofile and add loaded certificate to cacept.pem solve my issue.
Better than disabling certificate verification (where possible) is to let Mercurial know that you trust the certificate. (This is a Windows-specific answer).
The thing I missed for ages is that even if you import the certificate into the Trusted Root Certification Authority, this doesn't affect the Local System account, which TeamCity is running under if you have set it up to run as a service.
The full steps to get the Local System account to trust a certificate are in this answer, but I'll reproduce them in brief here:
First, get a copy of the certificate. You can export this to a file from the all the main browsers.
Then, run mmc.exe from the start menu. Add the Certificates snap-in. If TeamCity is running as the local system account you want to manage "Local computer" certificates. If TeamCity is running as an ordinary user you want to manage user certificates.
Navigate to "Trusted Root Certification Authorities". Then click "Action > All Tasks > Import" and import the certificate file.
A final note: You can use psexec.exe from PSTools to run powershell as Local System and test things are working before going back to TeamCity: (Reference)
psexec -i -s Powershell.exe

How to get certmgr to add pfx for all users instead of the current user?

I am developing a WCF service, which uses SSL certificate for transport security.
I followed various tutorial and hints online to generate and import the certificate. The certificate is imported using the following command:
certmgr.exe -add -all -c <filename>.pfx -s -r localMachine my
My WCF service is running happily using the imported certificate under console mode. Problem starts when I switched my service to be hosted with a Windows Service, which is running as "NETWORK SERVICE". The exception is complaining that the application has no access to the private key installed.
So I used FindPrivateKey.exe and found out that the private key is actually installed in the current user's AppData folder:
C:\Users\<username>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3289377140-263254259-3378496556-1105\d3a0de64e6f0513692d593a77a71d3ac_15824a33-515a-493c-a33f-38a7b852e11a
It would not work even if I grant "NETWORK SERVICE" user the access right to this file.
At the end I have to remove the certificate, and re-imported using MMC, which placed the private key to:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c3ccd4300462fe2aa7cec7f747fbd075_15824a33-515a-493c-a33f-38a7b852e11a
So my question is, how can I get certmgr to place the private key in C:\ProgramData\ instead of current user's AppData?
You should not try to work with certificates on file level. It is internal implementation that is not guarantied to be supported.
There is a MS tool that can help you:
The Microsoft Windows HTTP Services (WinHTTP) certificate
configuration tool, "WinHttpCertCfg.exe", enables administrators to
install and configure client certificates in any certificate store
that can be accessed by the Internet Server Web Application Manager
(IWAM) account.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384088(v=vs.85).aspx
Command that you need to run:
This command grants access to the private key of the "MyCertificate"
certificate in the "My" certificate store for the TESTUSER account.
winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER
Use this link to install the tool:
http://www.microsoft.com/en-us/download/details.aspx?id=19801