SSL Ldap Connection (ldaps) - ssl

I want to connect to ldap over SSL using truststore file.
I'm using the following code:
private DirContext ctxtDir = null;
Attributes attributes = null;
ldap_server_url = "ldaps://" + getLdapHostName() + ":"
+ getPort() + "/";
ldap_base_dn = getBaseDn();
ldap_user = getLogin();
ldap_password = getPwd();
ldap_trust_store_file = "C:\\truststore.jks";
ldap_trust_store_pwd = getStoreJKSPwd();
// Set the parameters
env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, ldap_context_factory);
env.put(Context.PROVIDER_URL, ldap_server_url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, ldap_user);
env.put(Context.SECURITY_CREDENTIALS, ldap_password);
env.put(Context.SECURITY_PROTOCOL, "SSL");
// Set SSL parameters for Ldaps connection
System.setProperty("javax.net.ssl.trustStore", ldap_trust_store_file);
System.setProperty("javax.net.ssl.trustStorePassword",
ldap_trust_store_pwd);
// Try to establish the connection
try {
// create initial context
ctxtDir = new InitialDirContext(env);
attributes = getLdapattributes(ldap_base_dn);
if (null != attributes) {
isAvailable = true;
}
} catch (Exception e) {
isAvailable = false;
}
The problem is that i don't want to use the location of the truststore file, i want to use the inputstream (file content), is there any way to do that? like when using SSLContext to esbabish a https connection.

Unbound Ldap SDK is best latest LDAP API. It also offers SSLSocketFactory to establish SSL connection.
TrustAllTrustManager manager = new TrustAllTrustManager();
SSLUtil sslUtil = new SSLUtil(manager);
SSLSocketFactory socketFactory;
try {
socketFactory = sslUtil.createSSLSocketFactory("TLSv1");
}
catch (GeneralSecurityException e) {
throw new LDAPException(ResultCode.CANCELED, "An error occured while creating SSL socket factory.");
}
and use this socketFactory as
new RoundRobinServerSet(addressesArray, portsArray, socketFactory);

Related

download a certificate from a ldap server in java

Can someone explain to me whether following code is correct to download a certificate ties to a specific person in java? I am getting an exception as "unknown protocol: ldaps".
public void downloadCert() {
String urlStr="ldaps://aServerSomeWhere:636/cn=doe%20john,ou=personnel,o=comany123,c=us?caCertificate;binary";
URL url = null;
try {
url = new URL(urlStr);
URLConnection con = url.openConnection();
InputStream is = con.getInputStream();
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(is);
System.out.println("getVersion: " + cert.getVersion());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
No it isn't correct. There is no handler for the LDAPS: protocol in the URL/URLConnection system.
You can use JNDI to get the caCertificate attribute of that user, via DirContext.getAttributes().

SpringLdap 2 over ldaps

I've followed an interesting webinar about springLdap and I'm planning to migrate my current Ldap interface to SpringLdap. However I haven't seen any easy way to connect to an LDAPS server. In my current implementation I had to do something like:
String nextToken = stCc.nextToken();
Properties envP = initializeEnv(nextToken, userPassword);
try
{
LdapContext ctx = new InitialLdapContext(envP, null);
//System.out.println(nextToken + " successfully validation");
return ctx;
}
and
private Properties initializeEnv(String userName, String userPassword) throws IOException
{
Properties envP = new Properties();
envP.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
envP.put(Context.PROVIDER_URL, (String) properties.get("ldap.server.url"));
if (userName != null)
envP.setProperty(Context.SECURITY_PRINCIPAL, userName);
if (userPassword != null)
envP.setProperty(Context.SECURITY_CREDENTIALS, userPassword);
envP.setProperty(Context.SECURITY_AUTHENTICATION, "simple");
envP.setProperty("java.naming.security.protocol", "ssl");
envP.setProperty("com.sun.jndi.ldap.connect.pool", "true");
envP.put("java.naming.ldap.factory.socket", "org.mycompany.ldap.CustSSLSocketFactory");
return envP;
}
and more:
public EmblSSLSocketFactory()
{
try
{
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, new TrustManager[]
{
new DummyTrustmanager()
}, new SecureRandom());
socketFactory = ctx.getSocketFactory();
}
catch (Exception ex)
{
ex.printStackTrace(System.err); /* handle exception */
}
}
Which is the equivalent (and possibly easier) way to do such authentication over TLS with SPRING-LDAP 2?
Thanks

Use both premitive and proxy authentication for a apache HttpClient 4.3.1

I am trying to connect a target host, which requires a username and password for primitive authentication from a proxy server that also have its own host, username and password.
Updated
The use case is something like this
My System connects with internet using proxy assume proxy.mydomain.com
And my proxy uses authentication to connect and authenticatuion is done using username and password
Username : MyDomain\myusername
Password : Password
Ok now the API or service which I want to connect is using Preemptive authentication I have some code snippet form API Docs :
final HttpState state = client.getState();
final HttpClientParams params = client.getParams();
myCreds = new UsernamePasswordCredentials(userName, userPassword);
System.out.println("Created credentials for " + myCreds.getUserName());
// Apply the credentials to the httpclient for preemptive authentication.
params.setAuthenticationPreemptive(true);
state.setCredentials(AuthScope.ANY, myCreds);
I tried with all apche clients from 4.1 to 4.3 but no solution at all.
I can set one credential but not getting how can both set together to a HttpClient ?
Below is my Code :
CloseableHttpResponse response;
HttpHost myHost=new HttpHost("172.17.8.192", 443, "https");
CredentialsProvider myServerCredsProvider;
if (userName.length() > 0 && userPassword.length() > 0)
{
myServerCredsProvider = new BasicCredentialsProvider();
myServerCredentials = new UsernamePasswordCredentials(userName, userPassword);
logger.info("Username : "+userName+" Password : "+userPassword);
myServerCredsProvider.setCredentials(
new AuthScope(myHost.getHostName(),myHost.getPort()),
myServerCredentials);
logger.info("After Creds Provider");
client = HttpClients.custom()
.setDefaultCredentialsProvider(myServerCredsProvider).build();
}
HttpHost proxy = new HttpHost("proxy.mycompany.com", 8080);
UsernamePasswordCredentials poxyAuthDetails=new UsernamePasswordCredentials("MyDomain//username", "password");
CredentialsProvider proxyProvider=new BasicCredentialsProvider();
proxyProvider.setCredentials(new AuthScope(proxy.getHostName(),proxy.getPort()), poxyAuthDetails);
RequestConfig config = RequestConfig.custom()
.setProxy(proxy)
.build();
HttpGet getServerDetailsUrl=new HttpGet(BaseURI+DominoServerAddress+API_BASE_URI);
getServerDetailsUrl.setConfig(config);
try {
response=client.execute(getServerDetailsUrl);
try {
HttpEntity entity = response.getEntity();
logger.info("----------------------------------------");
logger.info(response.getStatusLine());
if (entity != null) {
logger.info("Response content length: " + entity.getContentLength());
}
EntityUtils.consume(entity);
} finally {
response.close();
}
} catch (IOException ex) {
isAuthenticate=false;
logger.info("Exception Occured "+ex.getMessage());
}
I am getting exception while trying to execute :
HTTP/1.1 407 Proxy Authorization Required

httpcomponents's ssl connection results in socket is closed

I am trying to get some data from webserver which works fine with http.
But when I try https(ssl connection), I get the exceptions like below.
I get the http status code 200 and response content length 2230 which is correct.
java.net.SocketException: Socket is closed
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1483)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:92)
at org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:166)
at org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java:90)
at org.apache.http.impl.io.AbstractSessionInputBuffer.read(AbstractSessionInputBuffer.java:183)
at org.apache.http.impl.io.ContentLengthInputStream.read(ContentLengthInputStream.java:144)
at org.apache.http.conn.EofSensorInputStream.read(EofSensorInputStream.java:121)
My code is like below with apache httpcomponents httpclient(4.2.5) library.
try {
HttpPost httppost = new HttpPost(uri);
HttpHost targetHost = new HttpHost(HOST_NAME, HOST_PORT, PROTOCOL);
InputStreamEntity reqEntity = new InputStreamEntity(new ByteArrayInputStream(request), -1);
String contentType = TSPConstants.CONST_TSA_CONTENT_TYPE_TSREQUEST;
reqEntity.setContentType(contentType);
reqEntity.setChunked(true);
// It may be more appropriate to use FileEntity class in this particular
// instance but we are using a more generic InputStreamEntity to demonstrate
// the capability to stream out data from any arbitrary source
//
// FileEntity entity = new FileEntity(file, "binary/octet-stream");
httppost.setEntity(reqEntity);
//Authentication
httpclient.getCredentialsProvider().setCredentials(
new AuthScope(targetHost.getHostName(), targetHost.getPort()),
new UsernamePasswordCredentials(id, password));
// Create AuthCache instance
AuthCache authCache = new BasicAuthCache();
// Generate BASIC scheme object and add it to the local
// auth cache
BasicScheme basicAuth = new BasicScheme();
authCache.put(targetHost, basicAuth);
// Add AuthCache to the execution context
BasicHttpContext httpContext = new BasicHttpContext();
httpContext.setAttribute(ClientContext.AUTH_CACHE, authCache);
httpContext.setAttribute(ClientContext.COOKIE_STORE, cookieStore);
//SSL
SSLContext ctx = SSLContext.getInstance("TLS");
X509TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { }
public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException { }
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
ctx.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory ssf = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Scheme sch = new Scheme("https", HOST_PORT, ssf);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
System.out.println("executing request " + httppost.getRequestLine());
httpclient.execute(httppost, httpContext);
HttpResponse response = send(request);
HttpEntity resEntity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (resEntity != null) {
System.out.println("Response content length: " + resEntity.getContentLength());
System.out.println("Chunked?: " + resEntity.isChunked());
}
EntityUtils.consume(resEntity);
resEntity.getContent()
} finally {
// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpclient.getConnectionManager().shutdown();
}
Basically the answer gave #Avner in the comment.
The problem (for me) was, that the response was closed before the entity was read.
I did something like this, which was wrong:
HttpEntity entity = null;
try (CloseableHttpResponse response = client.execute(request)) {
entity = response.getEntity();
}
read(entity);
The following worked:
try (CloseableHttpResponse response = client.execute(request)) {
HttpEntity entity = response.getEntity();
read(entity);
}
The maybe not so obvious part: The try-with-resources block in the first example closed the stream, before it was read.

SSL connection to ldap using certitificates and custom ssl socket factory

This is my scenario , i want to connect to ldap usign jndi , i am using custom SSLSOcketfactory which reads the truststore and keystore . The context is created successful but when i try to authenticate using the same credentials it throws an error telling that the authentication method is not supported.
here is my code of the custom ssl socket -
try {
StringBuffer trustStore = new StringBuffer("c:/Temp/certs/TrustStore");
StringBuffer keyStore = new StringBuffer("c:/Temp/certs/keystore.arun");
StringBuffer keyStorePass = new StringBuffer("xxxxx");
StringBuffer keyAlias = new StringBuffer("user");
StringBuffer keyPass = new StringBuffer("XXXX");
TrustManagerFactory tmf =TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
FileInputStream fis = new FileInputStream(trustStore.toString());
KeyStore ks1 = KeyStore.getInstance("jks");
ks1.load(fis, trustStorePass.toString().toCharArray());
fis.close();
tmf.init(ks1);
TrustManager[] tms = tmf.getTrustManagers();
FileInputStream fin = new FileInputStream(keyStore.toString());
KeyStore ks2 = KeyStore.getInstance("jks");
ks2.load(fin, keyStorePass.toString().toCharArray());
fin.close();
KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks2, keyStorePass.toString().toCharArray());
KeyManager[] kms = kmf.getKeyManagers();
if (keyAlias != null && keyAlias.length() > 0) {
for (int i = 0; i < kms.length; i++) {
// We can only deal with instances of X509KeyManager
if (kms[i] instanceof X509KeyManager)
kms[i] = new CustomKeyManager(
(X509KeyManager) kms[i], keyAlias.toString());
}
}
SSLContext context = SSLContext.getInstance("TLS");
context.init(kms,tms, null);
ssf = context.getSocketFactory();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public static SocketFactory getDefault() {
return new CustomSSLSocketFactory();
}
And the jndi code which uses this CustomSSLSocketFactory is as follows
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://wx64ads01a.vapps.esca.com:636");
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.derefAliases", "always");
env.put("java.naming.ldap.factory.socket","com.eterra.security.authz.dao.CustomSSLSocketFactory" );
try {
ctx = new InitialLdapContext(env, null);
// start ssl session for server authentication
}catch(Exception e ){
System.out.println(e);
}
try{
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION,
"EXTERNAL");
String path = "CN=domain,DC=casa,DC=com"
String inFilter = "(&(objectClass=*))";
SearchControls sc = new SearchControls();
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = null;
results = ctx.search(path, inFilter, sc);
}
My Context is created perfectly but when i try to authenticate and bind to the ldap , i get Invalid Authentication method . ANy help will be appreciated , Struggling with these error over a long time now . Thanks in advance .
Context.SECURITY_AUTHENTICATION, "EXTERNAL"
when i try to authenticate and bind to the ldap , i get Invalid Authentication method
So your LDAP server doesn't support EXTERNAL authentication.