I have logstash-6.5.4 (with ssl), web and scheduler in my local (hostname: webbox) and kafka-2.0 (with ssl) on another (hostname: kafkabox).
I am not able to receive message in kafka topic when message is sent from logstash.
Neither error message is displayed not message is sent to kafka topic. I tried to import logstash.crt into kafka's truststore but it also didn't worked.
Created logstash.crt and logstash.key with below command.
sudo openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout /etc/logstash/logstash.key -out /etc/logstash/logstash.crt
Imported the logstash.crt into kafka's truststore file also and tried.
keytool -import -alias logstash -file logstash.crt -keystore cacerts
Logstash conf file is given below...
input {
tcp {
host=>"0.0.0.0"
port=>5514
type=>"syslogType"
ssl_enable=>true
ssl_cert=>"/etc/logstash/logstash.crt"
ssl_key=>"/etc/logstash/logstash.key"
ssl_verify=>false
}
}
filter {
}
output {
kafka {
bootstrap_servers=>"kafkabox:9093"
codec=>"json_lines"
topic_id=>"a_test"
ssl_keystore_location=>"keystore file"
ssl_keystore_password=>"changeit"
ssl_key_password=>"changeit"
ssl_truststore_location=>"truststore file"
ssl_truststore_password=>"changeit"
security_protocol=>"SSL"
}
}
Expecting message is sent from logstash (with SSL) to kafka (with SSL).
Java Code to connect to logstash which internally failing to send message to kafka topics (in ssl mode).
public class LogstashClient {
private static String message = "<86>Jun 25 14:32:25 webbox sshd[7517]: Failed password for root from 196.165.132.192 port 45691 ssh2";
public static void main(String[] args) throws Exception {
nonSSL();
//SSL();
}
private static void SSL() throws Exception {
// logstash.crt is directly imported into kafka's truststore
// Below <<Client Truststore>> will also have logstash.crt imported for handshaking while connecting
System.setProperty("javax.net.ssl.trustStore", "<<Client Truststore>>");
System.setProperty("javax.net.ssl.trustStorePassword", "test1234");
SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket("localhost", 5514);
System.out.println("Handshaking...");
socket.startHandshake();
PrintWriter printWriter = new PrintWriter(socket.getOutputStream(), true);
boolean checkError = printWriter.checkError();
printWriter.println(message);
}
private static void nonSSL() throws Exception {
Socket socket = new Socket("localhost", 5514);
PrintWriter printWriter = new PrintWriter(socket.getOutputStream(), true);
printWriter.println(message);
}
}
Thanks,
RK,
Related
I'm trying unsuccessfully to get a basic GRPC server and client working with SSL/TLS, with a node client and Java server. Starting with no security:
// client.js
const creds = grpc.credentials.createInsecure()
const stub = new hello_proto.Greeter('localhost:50051', creds)
stub.sayHello(...)
// server.java
Server server = ServerBuilder.forPort(50051)
.addService(serviceImplementation)
.build();
server.start();
All works as expected here. I then tried to add SSL credentials, generating a certificate and private key like this (following a Python example):
$ openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out server.crt
This generates a certificate (server.crt) and private key (server.key). I then add those credentials to client and server (private key on server only), following the guidance from the grpc.io Auth Guide and grpc-java respectively:
// client.js
const rootCert = fs.readFileSync("path/to/server.crt");
const channelCreds = grpc.credentials.createSsl(rootCert);
const stub = new hello_proto.Greeter('localhost:50051', channelCreds);
stub.sayHello(...)
// server.java
File certChainFile = File("path/to/server.crt")
File privateKeyFile = File("path/to/server.key")
Server server = ServerBuilder.forPort(50051)
.useTransportSecurity(certChainFile, privateKeyFile)
.addService(serviceImplementation)
.build();
server.start();
Now I get an error UNAVAILABLE: No connection established on the client side:
Error: 14 UNAVAILABLE: No connection established
at Object.callErrorFromStatus (path/to/node_modules/#grpc/grpc-js/build/src/call.js:31:26)
at Object.onReceiveStatus (path/to/node_modules/#grpc/grpc-js/build/src/client.js:176:52)
at Object.onReceiveStatus (path/to/node_modules/#grpc/grpc-js/build/src/client-interceptors.js:336:141)
at Object.onReceiveStatus (path/to/node_modules/#grpc/grpc-js/build/src/client-interceptors.js:299:181)
at path/to/node_modules/#grpc/grpc-js/build/src/call-stream.js:130:78
at processTicksAndRejections (node:internal/process/task_queues:76:11) {
code: 14,
details: 'No connection established',
metadata: Metadata { internalRepr: Map(0) {}, options: {} }
}
No error on the server side. The client-side error is, unhelpfully, identical to the one I get when the server is down.
How do I implement basic TLS authentication between a Java server and node client?
Maybe you can reference my code in helloworlde/grpc-java-sample, feel free to translate Chinese;
For the both side, it need SslContext
Server
File keyCertChainFile = new File("server.pem");
File keyFile = new File("server.key");
SslContext sslContext = GrpcSslContexts.forServer(keyCertChainFile, keyFile)
.clientAuth(ClientAuth.OPTIONAL)
.build();
Server server = NettyServerBuilder.forAddress(new InetSocketAddress(9090))
.addService(new HelloServiceImpl())
.sslContext(sslContext)
.build();
Client
File trustCertCollectionFile = new File("server.pem");
SslContext sslContext = GrpcSslContexts.forClient()
.trustManager(trustCertCollectionFile)
.build();
ManagedChannel channel = NettyChannelBuilder.forAddress("127.0.0.1", 9090)
.overrideAuthority("localhost")
.sslContext(sslContext)
.build();
I have some misunderstanding with running SF on local cluster with SSL, on localhost.
Microsoft created greate article about configuring HTTPS on your endpoints But it works well only if you use their certificate generator CertSetup.ps1 . If you try install your own pfx, it will not work.
First I created localhost self-signed cert by OpenSSL:
set OPENSSL_CONF=W:\OpenSSL-Win32\bin\openssl.cfg
openssl genrsa -out W:\CERTS\wepapissl.key -passout pass:1234567890 -aes256 2048
openssl req -x509 -new -key W:\CERTS\wepapissl.key -days 10000 -out W:\CERTS\wepapissl.crt -passin pass:1234567890 -subj /CN="localhost"
openssl pkcs12 -export -inkey W:\CERTS\wepapissl.key -in W:\CERTS\wepapissl.crt -out W:\CERTS\wepapissl.pfx -passout pass:0987654321 -passin pass:1234567890`
Second I have created default ASP.NET Core Web Application (Core 2.0, API template). And added code for configure Kestrel to use HTTPS:
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseKestrel(opt =>
{
opt.Listen(IPAddress.Any, port, listenOptions =>
{
listenOptions.UseHttps(GetCertificateFromStore());
});
})
.UseStartup<Startup>()
.Build();
private static X509Certificate2 GetCertificateFromStore()
{
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates;
var currentCerts = certCollection.Find(X509FindType.FindBySubjectDistinguishedName, "CN=localhost", false);
return currentCerts.Count == 0 ? null : currentCerts[0];
}
finally
{
store.Close();
}
}
I have got expected result. Page with warning about website’s security certificate:
Result from ValueController with warning
Third I have created Service Fabric Application (Stateless ASP.NET Core template). Change my ServiceManifest.xml by editing Endpoint section:
<Endpoint Protocol="https" Name="ServiceEndpoint" Type="Input" Port="8256" />
And added code for configure Kestrel to use HTTPS (class Web1 : StatelessService):
protected override IEnumerable<ServiceInstanceListener> CreateServiceInstanceListeners()
{
return new ServiceInstanceListener[]
{
new ServiceInstanceListener(serviceContext =>
new KestrelCommunicationListener(serviceContext, "ServiceEndpoint", (url, listener) =>
{
ServiceEventSource.Current.ServiceMessage(serviceContext, $"Starting Kestrel on {url}");
return new WebHostBuilder()
.UseKestrel(opt =>
{
int port = serviceContext.CodePackageActivationContext.GetEndpoint("ServiceEndpoint").Port;
opt.Listen(IPAddress.IPv6Any, port, listenOptions =>
{
listenOptions.UseHttps(this.GetCertificateFromStore());
});
})
.ConfigureServices(
services => services
.AddSingleton<StatelessServiceContext>(serviceContext))
.UseContentRoot(Directory.GetCurrentDirectory())
.UseStartup<Startup>()
.UseServiceFabricIntegration(listener, ServiceFabricIntegrationOptions.None)
.UseUrls(url)
.Build();
}))
};
}
private X509Certificate2 GetCertificateFromStore()
{
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates;
var currentCerts = certCollection.Find(X509FindType.FindBySubjectDistinguishedName, "CN=localhost", false);
return currentCerts.Count == 0 ? null : currentCerts[0];
}
finally
{
store.Close();
}
}
Result: Successful build and deploy code on local SF cluster. But my resource can't be reached
P.S. I will repeat again, if you install new cert by using PowerShell provided by Mircosoft - CertSetup.ps1, it works well for SF application. I was trying to dig in PS script, but I can not understand what I missed.
P.P.S I am new in creating certificates, but it seems strange.
I have installed pfx by CertSetup.ps1. All works well (resource is reachable).
Then I have exported cert to pfx with private key and all extended properties
Delete from LocalMachine (MY and Root), CurrentUser (MY) stores
Install exported pfx to LocalMachine (My and Root), CurrentUser (My) stores
Rebuild & Redeploy code
Resoucre can not be reached
Is it magic? Or I miss something?
Couple details was not enough clear for me, any way. Answer:
If you tried to use your own generated certificate (openssl, makecert or etc), you shoud set privileges for NETWORK SERVICE.
To manually do this on your dev box, open up certlm.msc, expand Personal->Certificates, and right-click your cert. Select All Tasks->Manage private keys and then add NETWORK SERVICE.
More here: https://github.com/Azure/service-fabric-issues/issues/714#issuecomment-381281701
I am very new to Java security, so the answer to this might be obvious. I am trying to perform a simple handshake between a client and a server and I want them to handshake using either TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. According to everywhere I read these ciphers are supported in Java 8 and I have installed JCE Unlimited Strength Jurisdiction Policy Files. So when I print out all the enabled ciphers in my Java installation, those two ciphers are present, which means they are enabled by default. But for some reason the handshake fails because client and server have no cipher suites in common. I enabled TLSv1.2 protocol as well. The client's public key has been imported into the server's trust store and the handshake succeed for other ciphers such as TLS_RSA_WITH_AES_128_CBC_SHA256 etc. I am running Java 8 v1.8.0_60. What else am I missing?
import static org.junit.Assert.assertEquals;
import java.io.IOException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.handler.AbstractHandler;
import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.junit.After;
import org.junit.BeforeClass;
import org.junit.Test;
public class GCMCiphersJava8Test {
private static final String SERVER_KEY_STORE = "testkeystore.jks";
private static final String CLIENT_KEY_STORE = "testtruststore.jks";
private static final String HOST = "localhost";
private static final String PASSWORD = "Pa55word";
private static final int SSL_PORT = 8443;
private static final String[] TLS_12 = new String[]{"TLSv1.2"};
private static String serverKeyStorePath = null;
private static String clientKeyStorePath = null;
private Server server = null;
#BeforeClass
public static void setup() {
serverKeyStorePath = GCMCiphersJava8Test.class.getResource(SERVER_KEY_STORE).getFile();
clientKeyStorePath = GCMCiphersJava8Test.class.getResource(CLIENT_KEY_STORE).getFile();
}
#Test
public void testGCMCiphersInJava8() throws Exception{
SSLSession session = null;
startServer(TLS_12, null, new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, null);
SSLSocket sslSocket = createSslSocket(TLS_12, null, new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, null);
if (this.server.isRunning()){
session = sslSocket.getSession();
}
assertEquals("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", session.getCipherSuite());
}
private void startServer(String[] includeProtocols, String[] excludeProtocols, String[] includeCiphers, String[] excludeCiphers) throws Exception{
this.server = new Server();
SslSelectChannelConnector ssl_connector = new SslSelectChannelConnector();
ssl_connector.setPort(SSL_PORT);
SslContextFactory cf = ssl_connector.getSslContextFactory();
cf.setKeyStorePath(serverKeyStorePath);
cf.setKeyStorePassword(PASSWORD);
cf.setKeyManagerPassword(PASSWORD);
if (includeCiphers != null){
cf.setIncludeCipherSuites(includeCiphers);
}
if (excludeCiphers != null){
cf.setExcludeCipherSuites(excludeCiphers);
}
if (includeProtocols != null){
cf.setIncludeProtocols(includeProtocols);
}
if (excludeProtocols != null){
cf.setExcludeProtocols(excludeProtocols);
}
this.server.setConnectors(new Connector[]{ssl_connector});
this.server.setHandler(new AbstractHandler() {
#Override
public void handle(String target,Request baseRequest,HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException
{
response.setContentType("text/html;charset=utf-8");
response.setStatus(HttpServletResponse.SC_OK);
baseRequest.setHandled(true);
response.getWriter().println("<h1>Hello World</h1>");
}
});
this.server.start();
}
#After
public void stopServer() throws Exception{
this.server.stop();
}
private SSLSocket createSslSocket(String[] includeProtocols, String[] excludeProtocols, String[] includeCiphers, String[] excludeCiphers){
SSLSocket sslSocket = null;
try {
System.setProperty("javax.net.ssl.trustStore", clientKeyStorePath);
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
sslSocket = (SSLSocket) factory.createSocket(HOST, SSL_PORT);
if (includeCiphers != null){
sslSocket.setEnabledCipherSuites(includeCiphers);
}
if (includeProtocols != null){
sslSocket.setEnabledProtocols(includeProtocols);
}
sslSocket.addHandshakeCompletedListener(e -> {
System.out.println("Handshake succesful!");
System.out.println("Using cipher suite: " + e.getCipherSuite());
});
} catch (Exception e) {
e.printStackTrace();
}
return sslSocket;
}
}
A TLS cipher suite has 4 parts, all of which it must specify. They are:
"Key Exchange" which has 3 sane options:
"RSA" which means client generates random, RSA-encrypts the random using server's public key, sends to server. Does not provide PFS, deprecated.
"DHE" which means classic (Final Field) DHE. Older software limited to insecure 1024 bit groups, not recommended.
"ECDHE" which is the only one that's recommended.
"Authentication" which has 3 sane options:
"aRSA" which means RSA signature. Before TLS 1.3 uses pkcs#1v1.5 instead of RSASSA-PSS, no longer recommended, 99.9% sites use this.
"ECDSA" which means ECDSA signatures which requires server to have ECDSA certificate and key. Requires strong CSPRNG during handshake or private key is compromised! Google and Facebook and Cloudflare use this.
"EdDSA" which is going into TLS 1.3 and is going to be the recommended one.
"encryption" which has quite a few usable options:
AES-GCM, an AEAD mode.
chacha20-poly1305, also an AEAD mode. In Google and Cloudflare servers now and in TLS 1.3.
AES (CBC), deprecated.
3DES CBC, deprecated.
Many more. Only AEAD cipher suites are recommended, the rest are deprecated.
"Hash" or "MAC" which has 3 sane options:
(HMAC-)SHA1, still secure.
(HMAC-)SHA256, used for paranoia.
(HMAC-)SHA384, used for paranoia.
But note AEAD cipher suites like GCM (and chacha20-poly1305) actually use their own MAC (GMAC for GCM) so the "MAC" of the cipher suite is only used as PRF for symmetric key generation, not as a MAC, and TLS 1.2 mandates PRF be at least SHA-256.
Neither AES-GCM nor ECDHE impose any constraints on the certificate or key.
ECDSA requires the server to have ECDSA certificate and key.
Thus, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 work with RSA certs and are what everyone recommends you deploy today if you don't have an ECDSA cert.
I figured it out. To use GCM-based ciphers I needed to generate a keypair using Elliptic Curve option in keytool. I foolishly used RSA one I had before.
generate keypair using EC and 256 key size:
keytool -genkeypair -alias sergey -keyalg EC -keysize 256 -validity 365 -keystore testkeystore.jks -storepass <insertPasswordHere>
export the key into the certificate:
keytool -exportcert -keystore testkeystore.jks -storepass <insertPasswordHere> -file testCert.crt -alias <insertAliasHere>
import that certificate into the server's trust store:
keytool -importcert -trustcacerts -file testCert.crt -alias <sameAliasAsAbove> -keystore testtruststore.jks -storepass <insertPasswordHere>
I am not able to get mbeans from Weblogic server using PKCS12 ssl certificate through Java client.
Server: Weblogic
Client: Java client/JConsole
Server side commands used to create self signed certificates:
Created a certificate using the Weblogic CertGen utility, Weblogic CertGenCA.der and the Certificate Authority.
java utils.CertGen -certfile ServerCert -keyfile ServerKey -keyfilepass keypass
java utils.der2pem CertGenCA.der
type serverCert.pem CertGenCA.pem >> myCert.pem
Server Keystore created>>
java utils.ImportPrivateKey -keystore SeverIdentity.jks -storepass storepass -storetype JKS \
-keypass keypass -alias mykey -certfile myCert.pem -keyfile ServerKey.pem \
-keyfilepass keypass
Server Truststore used>>
DemoTrust.jks (Default Weblogic truststore)
Client side commands used to create PKCS12 self signed certificate:
java utils.CertGen -certfile ClientCert -keyfile ClientKey -keyfilepass keypass
openssl pkcs12 -export -in ClientCert.pem -inkey ClientKey.pem -out client-pkcs-12-cert
Configurations done in Weblogic Admin Console:
Keystores: Custom Identity Custom Trust.
Custom Identity Keystore: D:\certificate\latest\pkcs\SeverIdentity.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: storepass (same as –storepass value of ImportPrivateKey)
Confirm Custom Identity Keystore Passphrase: storepass
Custom Trust Keystore: D:\certificate\latest\pkcs\DemoTrust.jks
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase
Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase
Configurations done in setDomainEnv.cmd:
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9191 \
-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.authenticate=false \
-Djavax.net.ssl.keyStore=D:\certificate\latest\pkcs\SeverIdentity.jks \
-Djavax.net.ssl.keyStorePassword=keypass -Djavax.net.ssl.trustStore=D:\certificate\latest\pkcs\DemoTrust.jks \
-Djavax.net.ssl.trustStorePassword=DemoTrustKeyStorePassPhrase -Djava.rmi.server.hostname=10.112.69.200
Reference : http://www.weblogic-tips.com/2010/05/20/two-way-ssl-on-weblogic-server/
Java client code:
public static void main22(String args[]) {
try {
System.setProperty("javax.net.ssl.keyStore",
"D://certificate//latest//client-pkcs-12-cert");
System.setProperty("javax.net.ssl.keyStorePassword", "keypass");
HashMap<String, Object> env = new HashMap<String, Object>();
String truststore = "D://certificate//latest//client-pkcs-12-cert";
char truststorepass[] = "keypass".toCharArray();
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream(truststore), truststorepass);
TrustManagerFactory tmf = TrustManagerFactory
.getInstance("SunX509");
tmf.init(ks);
SSLContext ctx = SSLContext.getInstance("TLSv1");
ctx.init(null, tmf.getTrustManagers(), null);
SSLSocketFactory ssf = ctx.getSocketFactory();
env.put("jmx.remote.tls.socket.factory", ssf);
JMXServiceURL address = new JMXServiceURL("rmi", "", 0,
"/jndi/rmi://localhost:9191/jmxrmi");
JMXConnector jmxc = JMXConnectorFactory.connect(address, env);
MBeanServerConnection mbsc = jmxc.getMBeanServerConnection();
Set<ObjectInstance> beans = mbsc.queryMBeans(null, null);
for (ObjectInstance instance : beans) {
MBeanInfo info = mbsc.getMBeanInfo(instance.getObjectName());
System.out.println(info);
}
jmxc.close();
} catch (Exception e) {
e.printStackTrace();
System.out.println("error :" + e.getMessage());
}
}
I am able to get mbeans when JKS certificate is being used but when I use PKCS12 certificate it gives the following error while connecting through JMXConnectorFactory:
Exception at line : JMXConnector jmxc = JMXConnectorFactory.connect(address, env);
Exceptions:
java.rmi.ConnectIOException: Exception creating connection to: 10.112.69.200; nested exception is:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:614)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:110)
at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2327)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:277)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
at test.Test.main(Test.java:68)
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:192)
at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:105)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:595)
... 8 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at java.security.Provider$Service.newInstance(Provider.java:1245)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102)
at javax.rmi.ssl.SslRMIClientSocketFactory.getDefaultClientSocketFactory(SslRMIClientSocketFactory.java:192)
at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:102)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:595)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184)
at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322)
at sun.rmi.transport.DGCImpl_Stub.dirty(Unknown Source)
at sun.rmi.transport.DGCClient$EndpointEntry.makeDirtyCall(DGCClient.java:342)
at sun.rmi.transport.DGCClient$EndpointEntry.registerRefs(DGCClient.java:285)
at sun.rmi.transport.DGCClient.registerRefs(DGCClient.java:121)
at sun.rmi.transport.ConnectionInputStream.registerRefs(ConnectionInputStream.java:80)
at sun.rmi.transport.StreamRemoteCall.releaseInputStream(StreamRemoteCall.java:138)
at sun.rmi.transport.StreamRemoteCall.done(StreamRemoteCall.java:292)
at sun.rmi.server.UnicastRef.done(UnicastRef.java:431)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:97)
at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:185)
at javax.naming.InitialContext.lookup(InitialContext.java:392)
at javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1886)
at javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255)
... 2 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
at sun.security.util.DerValue.init(DerValue.java:347)
at sun.security.util.DerValue.<init>(DerValue.java:303)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1200)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:202)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultTrustManager(DefaultSSLContextImpl.java:70)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:357)
at java.lang.Class.newInstance(Class.java:310)
at java.security.Provider$Service.newInstance(Provider.java:1221)
... 28 more
error :Exception creating connection to: 10.112.69.200; nested exception is:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
Firstly, ... (EDIT: I've realised I had misread part of the error, my first point was most certainly at least partly incorrect.)
A quick search for your error message (java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. )points to this IBM support page, which suggests to use a JKS keystore instead of PKCS#12 (on the server side, which you're not doing) or that there are incorrect characters in the certificate.
Secondly, you have no chance to get client-certificate authentication working with this code, even once your server certificate problems are fixed.
String truststore = "D://certificate//latest//client-pkcs-12-cert";
char truststorepass[] = "keypass".toCharArray();
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream(truststore), truststorepass);
TrustManagerFactory tmf = TrustManagerFactory
.getInstance("SunX509");
tmf.init(ks);
SSLContext ctx = SSLContext.getInstance("TLSv1");
ctx.init(null, tmf.getTrustManagers(), null);
The PKCS#12 file should contain both your client cert and its private key. It is meant to be used as a keystore, not a truststore. That is, although the entity is called keystore in both cases, you are meant to use it with the key manager, not the trust manager.
Here, you're using your PKCS#12 file to initialise the trust manager of your SSLContext. It's the key manager you should initialise instead.
In addition, if you're using your code with a JRE that isn't related to Sun/Oracle/OpenJDK, you should probably avoid to hard-code "SunX509", use TrustManagerFactory.getDefaultAlgorthim() instead (same for the KeyManagerFactory when you implement this stage).
I'm sing Java and tring to change the password in AD. I have imported the certificate to the server, but I get an error in the certificate.
Import's valid:
keytool -import -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -trustcacerts -alias openldap -file "C:\certnew.cer"
List's valid:
keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts"
My code:
public class PassChange
{
public static void main (String[] args) {
Hashtable env = new Hashtable();
String userName = "CN=optimus,DC=ad,DC=euclid,DC=com";
String oldPassword = "euclid!23";
String newPassword = "kcube!23";
//Could also do this via command line java -Djavax.net.ssl.trustStore....
String keystore = "C:\\Program Files\\Java\\jre6\\lib\\security\\cacerts";
// 1 String keystore = "C:\\Program Files\\Java\\jre6\\lib\\security\\cacerts";
// 2 String keystore = "C:\\Program Files\\Java\\jre6\\lib\\security\\cacerts.jks";
// 3 String keystore = "c:\\";
// 1,2,3 all error
System.setProperty("javax.net.ssl.trustStore", keystore);
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,userName);
env.put(Context.SECURITY_CREDENTIALS,oldPassword);
//specify use of ssl
env.put(Context.SECURITY_PROTOCOL,"ssl");
//connect to my domain controller
String ldapURL = "ldaps://xxx.xxx.xxx.xxx:636";
env.put(Context.PROVIDER_URL,ldapURL);
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//change password is a single ldap modify operation
//that deletes the old password and adds the new password
ModificationItem[] mods = new ModificationItem[2];
String oldQuotedPassword = "\"" + oldPassword + "\"";
byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
String newQuotedPassword = "\"" + newPassword + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldUnicodePassword));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
ctx.modifyAttributes(userName, mods);
System.out.println("Changed Password for: " + userName);
ctx.close();
}
catch (NamingException e) {
System.err.println("Problem changing password: " + e);
}
catch (UnsupportedEncodingException e) {
System.err.println("Problem encoding password: " + e);
}
}
}
Error message:
problem changing password: javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Which certificate did you import? You do NOT want the servers certificate. Rather you want the public key of the Certificate Authority. Specifically the switch -trustcacerts is meant to indicate this is a CA public key.
Guessing by the name, I wonder if you grabbed the certificate of the server.