I have created a test environment. I have one ldap client, ldap listener (as a ldap proxy) and a ldap server. Ldap client sends ldap requests to ldap proxy on port 389 (SSL). Ldap proxy decodes the ldap requests and forwards them to the ldap server on port 389. And the proxy forwards the reply of the ldap server to ldap client successfully.
I created SSL certificate on ldap server. And this time I tested that ldap client sends ldap requests to ldap proxy on port 389 (SSL). Ldap proxy forwarded requests to the ldap server on port 636. And the proxy forwards the reply of the ldap server to ldap client successfully.
But there is a problem when I try to use SSL on both sides. I mean
ldap client (port 636) -> ldap proxy (port 636) -> ldap server (port
636)
My client throws an exception
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
I am using unboundid ldap sdk and LdapDebugger example as a ldap proxy. How can I configure ldaplistener to accept SSL encrypted requests(port 636)?
thanks in advance...
If you're using the ldap-debugger tool provided with the LDAP SDK, it currently only supports SSL for communicating with the backend server, but not when communicating with a client. That is, the "--useSSL" option applies only for communication between the LDAP debugger and the backend directory server, and not between the client and the LDAP debugger. However, because this is potentially a very useful feature, I have just committed a set of changes that add this capability, so if you check out and build the latest version of the LDAP SDK, you will find that the ldap-debugger tool has a new "--listenUsingSSL" argument that controls this.
Note that regardless of whether you're using the ldap-debugger tool or you have created your own listener via Java code, you need to ensure that you have a Java keystore that contains the SSL certificate that will be presented to clients. If the LDAP server you're using is Java-based (e.g., the in-memory directory server provided with the LDAP SDK), then you probably already have this. Otherwise, you'll need to create one. If you're just doing this for testing purposes, a self-signed certificate should be just fine (as long as the client trusts it, or is configured to blindly trust all certificates).
Related
I have a domain served at server A and I have set up an A-record to server B.
For http://mypage.com all works fine.
But there is also SSL on the domain. On server B there are a few virtual hosts set up. One of which has an SSL virtual host (443), theirpage.com. If I now go to https://mypage.com I end up at theirpage.com.
If I set up mypage.com MUST I have the SSL certificate from server A available for this new specific ssl-virualhost? The provider at server A does not share their ssl-certificates...
Assuming:
Server A - DNS only, no web services.
Server B - Web server.
The following is extreme oversimplification of what actually happens. For simplicity we exclude all caches, networking and application complexity.
What happens on the client:
User navigates to mypage.com (HTTPS)
Browser/OS does a lookup of who mypage.com is; receives the IP
Browser attempts to establish secure connection with IP of a webserver.
It is at this point browser will look at the SSL certificate provided by your web server. That certificate must be signed by trusted authority and have a valid alternate name of mypage.com. Not signed or name does not match to what user typed into the browser you will receive a certificate error.
If the certificate passed:
Browser will complete establishing connection
Browser will request a content named mypage.com
Browser displays content revived from the web server
In this scenario only web server must have a valid certificate, prooving to the client that it is indeed the server client attempts to connect to.
HTTP Scenario is similar, but connection is not secured and site will load. Most of the websites setup redirect request on HTTP calls, forcing the user's browser repeat it's request via HTTPS protocol.
I am trying to set up a client-server EJB using two different machines on my network. while installing WAS server it prompted me to add admin credentials, so LTPA is enabled (hope it enabled SSL). Now on client EJB deployed WAS server I have to configure the outbound IIOP SSL certificate(Correct me if I am wrong on this). But unfortunately in the server WAS admin console I can see SSL Signer certificates cn(Host/domain) parameter as localhost. the same "localhost" is arriving when I try to "retrieve from port" in client EJB WAS server.
I have attached the "Retrieve from port" screenshot
Client WAS retrieve from port action
Even I have tried changing the hostname in the server WAS under the Server-> Communications -> Port to IP address instead of localhost.
I expect it should bring domainname.ipaddress
"Retrieve from port" action always brings "localhost" from the remote server
As per the comment by #Gas, I am following this below link
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_sslreplacecell.html
will update in short
I set up an FTPS server with Apache MINA in which clients cients authenticate via user/password. I now want to force clients to authenticate via an SSL certificate, but I could not find instructions nor examples for this. Anyone can help?
Got it:
ListenerFactory factory = new ListenerFactory();
SslConfigurationFactory ssl = new SslConfigurationFactory();
ssl.setClientAuthentication("true");
ssl.setTruststoreFile(new File("trust.jks"));
ssl.setTruststorePassword("trust-password");
ssl.setKeystoreFile(new File("certs.jks"));
ssl.setKeystorePassword("certs-password");
factory.setSslConfiguration(ssl.createSslConfiguration());
factory.setImplicitSsl(true);
The server will force clients to connect using a certificate, and will only accept those included in trust.jks.
Problem: I have an application connecting to several databases (Redis, Riak, etc) via TCP through HAProxy. Like this:
app -> HAProxy --TLS--> HAProxy -> Redis
Access to HAProxy on Redis side is managed by Chef via iptables. We already use CFSSL for mutual TLS authentication on Nginx<->Nginx connections because it's way faster than waiting until Chef updates configuration.
Wanna make HAProxy on application side use client-side TLS certificate when connecting to HAProxy on DB side.
Actually any other proxy will do on client side but we'd like to keep things simple.
I deployed an embedded apacheds application to public cloudfoundry! but i can't access it from ldap client in my machine!!
my server properties:
host: http://kenzdz.cloudfoundry.com/
port: 10389
root dn: ou=system
when i use a class in the same project to acces the server,it success like the link show it:
http://kenzdz.cloudfoundry.com/ldaptest : it is a servlet that acces the ldap server
but when i use a ldap client like jexplorer to acess remotely to the server it doesn't success.
is it because an embedded ldap server i cant do it?
Cloudfoundry.com only allows inbound http(s) traffic on ports 80 and 443, respectively (see May i open a port on Cloud Foundry?). So you won't be able to interact using the LDAP protocol with the app you deployed.