This is my scenario , i want to connect to ldap usign jndi , i am using custom SSLSOcketfactory which reads the truststore and keystore . The context is created successful but when i try to authenticate using the same credentials it throws an error telling that the authentication method is not supported.
here is my code of the custom ssl socket -
try {
StringBuffer trustStore = new StringBuffer("c:/Temp/certs/TrustStore");
StringBuffer keyStore = new StringBuffer("c:/Temp/certs/keystore.arun");
StringBuffer keyStorePass = new StringBuffer("xxxxx");
StringBuffer keyAlias = new StringBuffer("user");
StringBuffer keyPass = new StringBuffer("XXXX");
TrustManagerFactory tmf =TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
FileInputStream fis = new FileInputStream(trustStore.toString());
KeyStore ks1 = KeyStore.getInstance("jks");
ks1.load(fis, trustStorePass.toString().toCharArray());
fis.close();
tmf.init(ks1);
TrustManager[] tms = tmf.getTrustManagers();
FileInputStream fin = new FileInputStream(keyStore.toString());
KeyStore ks2 = KeyStore.getInstance("jks");
ks2.load(fin, keyStorePass.toString().toCharArray());
fin.close();
KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks2, keyStorePass.toString().toCharArray());
KeyManager[] kms = kmf.getKeyManagers();
if (keyAlias != null && keyAlias.length() > 0) {
for (int i = 0; i < kms.length; i++) {
// We can only deal with instances of X509KeyManager
if (kms[i] instanceof X509KeyManager)
kms[i] = new CustomKeyManager(
(X509KeyManager) kms[i], keyAlias.toString());
}
}
SSLContext context = SSLContext.getInstance("TLS");
context.init(kms,tms, null);
ssf = context.getSocketFactory();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public static SocketFactory getDefault() {
return new CustomSSLSocketFactory();
}
And the jndi code which uses this CustomSSLSocketFactory is as follows
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://wx64ads01a.vapps.esca.com:636");
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.derefAliases", "always");
env.put("java.naming.ldap.factory.socket","com.eterra.security.authz.dao.CustomSSLSocketFactory" );
try {
ctx = new InitialLdapContext(env, null);
// start ssl session for server authentication
}catch(Exception e ){
System.out.println(e);
}
try{
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION,
"EXTERNAL");
String path = "CN=domain,DC=casa,DC=com"
String inFilter = "(&(objectClass=*))";
SearchControls sc = new SearchControls();
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = null;
results = ctx.search(path, inFilter, sc);
}
My Context is created perfectly but when i try to authenticate and bind to the ldap , i get Invalid Authentication method . ANy help will be appreciated , Struggling with these error over a long time now . Thanks in advance .
Context.SECURITY_AUTHENTICATION, "EXTERNAL"
when i try to authenticate and bind to the ldap , i get Invalid Authentication method
So your LDAP server doesn't support EXTERNAL authentication.
Related
I have a SpringBoot app that must call a REST API which requires a certificate. I was provided 2 files from the service that propose this REST Service : a P12 file and a CA Root file.
I first created a keystore (JKS) :
keytool -keystore keystore.jks -genkey -alias client
Then I added a CA root to the JKS file :
keytool -keystore keystore.jks -import -file certeurope_root_ca_3.cer -alias cacert
Now in my app I have to call the rest API :
public DocumentDto sendRequest(DocumentDto documentDto) throws Exception {
// Set variables
String ts = "C:\\keystore\\keystore.jks";
String ks = "C:\\keystore\\CERTIFICATE.p12";
String tsPassword = properties.getProperty("signature.api.passphrase");
String ksPassword = properties.getProperty("signature.api.passphrase");
KeyStore clientStore = KeyStore.getInstance("PKCS12");
clientStore.load(new FileInputStream(ks), ksPassword.toCharArray());
log.warn("# clientStore : " + clientStore);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(clientStore, ksPassword.toCharArray());
KeyManager[] kms = kmf.getKeyManagers();
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream(ts), tsPassword.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(trustStore);
TrustManager[] tms = tmf.getTrustManagers();
SSLContext sslContext = null;
sslContext = SSLContext.getInstance("TLS");
sslContext.init(kms, tms, new SecureRandom());
// set the URL to send the request
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
URL url = new URL(properties.getProperty("signature.api.url.full"));
// opening the connection
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) { return true; }
};
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
HttpsURLConnection.setDefaultAllowUserInteraction( true );
HttpsURLConnection.setFollowRedirects( false );
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
urlConnection.setRequestMethod("POST");
urlConnection.setDoOutput(true);
urlConnection.setDoInput(true);
urlConnection.setUseCaches(false);
urlConnection.setAllowUserInteraction(true);
urlConnection.setReadTimeout(15000);
// create the JSON String
ObjectMapper mapper = new ObjectMapper();
// convert an oject to a json string
String jsonInString = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(documentDto);
InputStreamReader isr=null;
try(OutputStream os = urlConnection.getOutputStream()) {
byte[] input = jsonInString.getBytes(StandardCharsets.UTF_8);
os.write(input, 0, input.length);
// check 400 & 403
if(urlConnection.getResponseCode() == 400 || urlConnection.getResponseCode() == 403) {
isr = new InputStreamReader(urlConnection.getErrorStream(), StandardCharsets.UTF_8);
String st= IOUtils.toString(isr);
log.warn("# errorStream :" + st );
} else if(urlConnection.getResponseCode() != 200) {
isr = new InputStreamReader(urlConnection.getErrorStream(), StandardCharsets.UTF_8);
String st= IOUtils.toString(isr);
} else {
isr = new InputStreamReader(urlConnection.getInputStream(), StandardCharsets.UTF_8);
}
}
// read the response
try(BufferedReader br = new BufferedReader(new InputStreamReader(urlConnection.getInputStream(), StandardCharsets.UTF_8))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
System.out.println(jsonInString);
return documentDto;
}
I also changed my port server : server.port=8443. I have 2 issues :
If i have : TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
I obtain : javax.net.ssl.SSLHandshakeException: No trusted certificate found
If I have : TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
I obtain : javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I'm stuck on that stuff for a while and I don't see what's going wrong.
Well i found out a solution which may not be the most elegant at all. But at least it work. I also made some refactor...
public DocumentCreateRequestDto sendRequest(DocumentDto documentDto) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException {
// Set variables
String certificate = properties.getProperty("signature.api.certificate");
String PwdPk12 = properties.getProperty("signature.api.passphrase");
String httpsRestUrl = properties.getProperty("signature.api.url.full");
HttpsURLConnection con = getHttpsURLConnection(certificate, PwdPk12, httpsRestUrl);
// create the JSON String
ObjectMapper mapper = new ObjectMapper();
// convert an oject to a json string
String jsonInString = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(documentDto);
jsonInString = "[" + jsonInString + "]";
StringBuilder response = getStringBuilder(con, jsonInString);
String output = response.toString();
output = output.substring(1, output.length()-1);
return mapper.readValue(output, DocumentCreateRequestDto.class);
}
private HttpsURLConnection getHttpsURLConnection(String certificate, String pwdPk12, String httpsRestUrl) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException, KeyManagementException {
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream(certificate), pwdPk12.toCharArray());
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
#Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
#Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
#Override
public X509Certificate[] getAcceptedIssuers() {
// return new X509Certificate[0];
return null;
}
}
};
SSLContext ctx = SSLContext.getInstance("TLS");
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) { return true; }
};
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
kmf.init( ks, pwdPk12.toCharArray() );
ctx.init( kmf.getKeyManagers(), trustAllCerts, new SecureRandom() );
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
HttpsURLConnection.setDefaultAllowUserInteraction( true );
HttpsURLConnection.setFollowRedirects( false );
HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
URL url = new URL(httpsRestUrl);
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
//connection
con.setRequestMethod("POST");
con.setDoOutput(true);
con.setRequestProperty("Accept-Encoding", "gzip,deflate");
con.setRequestProperty("Content-Type", "application/json");
con.setRequestProperty("Connection", "Keep-Alive");
con.setRequestProperty("User-Agent", "Apache-HttpClient/4.1.1 (java 1.5)");
con.setReadTimeout(15000);
con.setDoInput(true);
con.setUseCaches(false);
con.setAllowUserInteraction(true);
return con;
}
And :
private StringBuilder getStringBuilder(HttpsURLConnection con, String jsonInString) throws IOException {
InputStreamReader isr = null;
try (OutputStream os = con.getOutputStream()) {
byte[] input = jsonInString.getBytes(StandardCharsets.UTF_8);
os.write(input, 0, input.length);
// check 400 & 403
if (con.getResponseCode() == 400 || con.getResponseCode() == 403) {
isr = new InputStreamReader(con.getErrorStream(), StandardCharsets.UTF_8);
String st = IOUtils.toString(isr);
log.warn("# errorStream :" + st);
} else if (con.getResponseCode() != 200) {
isr = new InputStreamReader(con.getErrorStream(), StandardCharsets.UTF_8);
} else {
isr = new InputStreamReader(con.getInputStream(), StandardCharsets.UTF_8);
}
}
// read the response
String responseLine;
StringBuilder response = new StringBuilder();
try (BufferedReader br = new BufferedReader(new InputStreamReader(con.getInputStream(), StandardCharsets.UTF_8))) {
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
}
return response;
}
I am trying to port a .net application to JavaFx that has an integrated web browser that opens a website that requires a certificate. In windows the certificate was installed from a provided .pfx file and a pass phrase.
When the browser calls the website, a pop up shows the installed certificates, user chose the right one if there is more than one and website opens.
With the following code, I get the website to open connect using my certificate.
private void Connect() throws NoSuchAlgorithmException, FileNotFoundException, KeyStoreException, IOException, CertificateException, UnrecoverableKeyException, KeyManagementException {
SSLContext ctx = SSLContext.getInstance("TLS");
KeyManager[] keyManagers;
KeyStore keyStore = KeyStore.getInstance("pkcs12");
FileInputStream keyStoreFile = new FileInputStream(new File("Certificate.pfx"));
String keyStorePassword = "password";
keyStore.load(keyStoreFile, keyStorePassword.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, keyStorePassword.toCharArray());
keyManagers = kmf.getKeyManagers();
ctx.init(keyManagers, null, new SecureRandom());
SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
URL url = new URL("https://example.com");
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setSSLSocketFactory(sslSocketFactory);
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null) {
System.out.println(inputLine);
}
in.close();
}
How can I get this working in WebView control?
Thanks
I solved the issue after spending days researching.
Adding this lines of code before opening the website will make it work.
System.setProperty("javax.net.ssl.keyStore", "/path/to/certificate.pfx");
System.setProperty("javax.net.ssl.keyStorePassword","password");
Hope this help!
Can someone explain to me whether following code is correct to download a certificate ties to a specific person in java? I am getting an exception as "unknown protocol: ldaps".
public void downloadCert() {
String urlStr="ldaps://aServerSomeWhere:636/cn=doe%20john,ou=personnel,o=comany123,c=us?caCertificate;binary";
URL url = null;
try {
url = new URL(urlStr);
URLConnection con = url.openConnection();
InputStream is = con.getInputStream();
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(is);
System.out.println("getVersion: " + cert.getVersion());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
No it isn't correct. There is no handler for the LDAPS: protocol in the URL/URLConnection system.
You can use JNDI to get the caCertificate attribute of that user, via DirContext.getAttributes().
I've followed an interesting webinar about springLdap and I'm planning to migrate my current Ldap interface to SpringLdap. However I haven't seen any easy way to connect to an LDAPS server. In my current implementation I had to do something like:
String nextToken = stCc.nextToken();
Properties envP = initializeEnv(nextToken, userPassword);
try
{
LdapContext ctx = new InitialLdapContext(envP, null);
//System.out.println(nextToken + " successfully validation");
return ctx;
}
and
private Properties initializeEnv(String userName, String userPassword) throws IOException
{
Properties envP = new Properties();
envP.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
envP.put(Context.PROVIDER_URL, (String) properties.get("ldap.server.url"));
if (userName != null)
envP.setProperty(Context.SECURITY_PRINCIPAL, userName);
if (userPassword != null)
envP.setProperty(Context.SECURITY_CREDENTIALS, userPassword);
envP.setProperty(Context.SECURITY_AUTHENTICATION, "simple");
envP.setProperty("java.naming.security.protocol", "ssl");
envP.setProperty("com.sun.jndi.ldap.connect.pool", "true");
envP.put("java.naming.ldap.factory.socket", "org.mycompany.ldap.CustSSLSocketFactory");
return envP;
}
and more:
public EmblSSLSocketFactory()
{
try
{
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, new TrustManager[]
{
new DummyTrustmanager()
}, new SecureRandom());
socketFactory = ctx.getSocketFactory();
}
catch (Exception ex)
{
ex.printStackTrace(System.err); /* handle exception */
}
}
Which is the equivalent (and possibly easier) way to do such authentication over TLS with SPRING-LDAP 2?
Thanks
I want to connect to ldap over SSL using truststore file.
I'm using the following code:
private DirContext ctxtDir = null;
Attributes attributes = null;
ldap_server_url = "ldaps://" + getLdapHostName() + ":"
+ getPort() + "/";
ldap_base_dn = getBaseDn();
ldap_user = getLogin();
ldap_password = getPwd();
ldap_trust_store_file = "C:\\truststore.jks";
ldap_trust_store_pwd = getStoreJKSPwd();
// Set the parameters
env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, ldap_context_factory);
env.put(Context.PROVIDER_URL, ldap_server_url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, ldap_user);
env.put(Context.SECURITY_CREDENTIALS, ldap_password);
env.put(Context.SECURITY_PROTOCOL, "SSL");
// Set SSL parameters for Ldaps connection
System.setProperty("javax.net.ssl.trustStore", ldap_trust_store_file);
System.setProperty("javax.net.ssl.trustStorePassword",
ldap_trust_store_pwd);
// Try to establish the connection
try {
// create initial context
ctxtDir = new InitialDirContext(env);
attributes = getLdapattributes(ldap_base_dn);
if (null != attributes) {
isAvailable = true;
}
} catch (Exception e) {
isAvailable = false;
}
The problem is that i don't want to use the location of the truststore file, i want to use the inputstream (file content), is there any way to do that? like when using SSLContext to esbabish a https connection.
Unbound Ldap SDK is best latest LDAP API. It also offers SSLSocketFactory to establish SSL connection.
TrustAllTrustManager manager = new TrustAllTrustManager();
SSLUtil sslUtil = new SSLUtil(manager);
SSLSocketFactory socketFactory;
try {
socketFactory = sslUtil.createSSLSocketFactory("TLSv1");
}
catch (GeneralSecurityException e) {
throw new LDAPException(ResultCode.CANCELED, "An error occured while creating SSL socket factory.");
}
and use this socketFactory as
new RoundRobinServerSet(addressesArray, portsArray, socketFactory);