[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-opendj
Subject: [Opendj] installation questions (SSL)
From: ashmelkin () cashedge ! com (Alex Shmelkin)
Date: 2011-05-19 21:37:02
Message-ID: 2A4028C53C3E6E49B25B8D61132790961A209CF4B0 () MBX13 ! EXCHPROD ! USA ! NET
[Download RAW message or body]
Hi Ludovic,
Thanks for the advice. However I don't completely understand what are the key steps \
here. My keystore has both the public key (cert) of my server key pair and the signer \
cert (CA). What I noticed is that in this thread the file name is always keystore.jks \
-mine is different, is this important? Also, the alias is server-cert, whereas I use \
my own. Does it make any difference?
I noticed that there is file called config/truststore which contains public cert of \
my original cert. When I change keystore this one does not change. Thanks,
Alex
From: opendj-bounces@forgerock.org [mailto:opendj-bounces at forgerock.org] On Behalf \
Of Ludovic Poitou
Sent: Thursday, May 19, 2011 1:53 PM
To: OpenDJ discussion list
Subject: Re: [Opendj] installation questions (SSL)
Hi Alex,
This reminds me of a long thread on OpenDS about similar issue and same error code. \
It turns out to be an error in the steps to setup the Certs and all in JKS.
Here's the solution message in the thread, and this should also reference the whole \
thread.
http://markmail.org/message/7hc4f55stx7o3umx
Regards,
Ludovic.
- - -
[cid:~WRD000.jpg]
<http://www.forgerock.com/>
Ludovic Poitou - ForgeRock France SAS
e: ludovic.poitou at forgerock.com<mailto:ludovic.poitou at forgerock.com>
t: +33 625 14 96 92
w: www.forgerock.com<http://www.forgerock.com/>
blog: http://ludopoitou.wordpress.com
On Thu, May 19, 2011 at 10:21 PM, Alex Shmelkin <ashmelkin at \
cashedge.com<mailto:ashmelkin at cashedge.com>> wrote: One thing I forgot to mention \
is that my key stores are not located in config, but elsewhere in the filesystem.
Test 1
ldapsearch hangs, then spits out following:
Cannot send the simple bind request: SocketTimeoutException(Read timed out)
Result Code: 81 (Server Connection Closed)
and then hangs for good. After Ctrl-C looked into the logs - no messages written \
into any of them! Then tried InstallCert, also hangs, then getting
Starting SSL handshake...
Exception in thread "main" java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at InstallCert.main(InstallCert.java:87)
After checking netstat - no LDAPS port is listening, so InstallCert killed the \
server. Checked the error log file: [19/May/2011:11:10:51 -0700] category=PROTOCOL \
severity=FATAL_ERROR msgID=2425016 msg=The LDAP connection handler defined in \
configuration entry cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config has \
experienced consecutive failures while trying to accept client connections: An error \
occurred while attempting to initialize the SSL context for use in the LDAP \
Connection Handler: An error occurred while trying to create a key manager factory \
to access the contents of keystore file /mnt/home/cimuser/APPSHOME/keystore/dev.jks: \
UnrecoverableKeyException(Cannot recover key) (id=1310803) \
(LDAPConnectionHandler.java:1324 LDAPConnectionHandler.java:1255 \
LDAPConnectionHandler.java:1091 LDAPConnectionHandler.java:974). This connection \
handler will be disabled [19/May/2011:11:10:51 -0700] category=CORE severity=NOTICE \
msgID=458891 msg=The Directory Server has sent an alert notification generated by \
class org.opends.server.protocols.ldap.LDAPConnectionHandler (alert type \
org.opends.server.LDAPHandlerDisabledByConsecutiveFailures, alert ID 2425016): The \
LDAP connection handler defined in configuration entry cn=LDAPS Connection \
Handler,cn=Connection Handlers,cn=config has experienced consecutive failures while \
trying to accept client connections: An error occurred while attempting to \
initialize the SSL context for use in the LDAP Connection Handler: An error occurred \
while trying to create a key manager factory to access the contents of keystore file \
/mnt/home/cimuser/APPSHOME/keystore/dev.jks: UnrecoverableKeyException(Cannot \
recover key) (id=1310803) (LDAPConnectionHandler.java:1324 \
LDAPConnectionHandler.java:1255 LDAPConnectionHandler.java:1091 \
LDAPConnectionHandler.java:974). This connection handler will be disabled \
[19/May/2011:11:10:51 -0700] category=PROTOCOL severity=NOTICE msgID=2556181 \
msg=Stopped listening for new connections on LDAP Connection Handler 0.0.0.0 port \
1601
Test 2
Self signed cert
java.net.SocketException: Socket Closed
at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:219)
at java.net.Socket.setSoTimeout(Socket.java:1017)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(SSLSocketImpl.java:2133)
at org.opends.server.tools.LDAPConnection.connectToHost(LDAPConnection.java:519)
at org.opends.server.tools.LDAPSearch.mainSearch(LDAPSearch.java:1775)
at org.opends.server.tools.LDAPSearch.main(LDAPSearch.java:579)
Cannot send the simple bind request: SSLHandshakeException(Received fatal alert: \
handshake_failure) Result Code: 81 (Server Connection Closed)
Access log:
[19/May/2011:11:18:46 -0700] CONNECT conn=0 \
from=10.97.19.211:57430<http://10.97.19.211:57430> \
to=10.97.19.211:1601<http://10.97.19.211:1601> protocol=LDAPS [19/May/2011:11:18:46 \
-0700] DISCONNECT conn=0 reason="Protocol Error" msg="The client sent a request to \
the Directory Server that could not be properly decoded as an LDAP message: \
javax.net.ssl.SSLHandshakeException: no cipher suites in common"
InstallCert:
Loading KeyStore /usr/local/jdk1.6.0_25/jre/lib/security/cacerts...
Opening connection to ...com:1601...
Starting SSL handshake...
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at InstallCert.main(InstallCert.java:87)
Could not obtain server certificate chain
Same message in access log.
Alex
From: opendj-bounces@forgerock.org<mailto:opendj-bounces at forgerock.org> \
[mailto:opendj-bounces at forgerock.org<mailto:opendj-bounces at forgerock.org>] On \
Behalf Of Ludovic Poitou
Sent: Thursday, May 19, 2011 2:53 AM
To: OpenDJ discussion list
Subject: Re: [Opendj] installation questions (SSL)
Alex,
Are you sure there is not even the reason for the connection to fail, in the server's \
access log ? The access log contains a log entry for each incoming connection. \
Something like this: [19/May/2011:11:51:19 +0200] CONNECT conn=2 \
from=10.10.0.149:52897<http://10.10.0.149:52897> \
to=10.10.0.149:2636<http://10.10.0.149:2636> protocol=LDAPS [19/May/2011:11:51:19 \
+0200] DISCONNECT conn=2 reason="Protocol Error" msg="The client sent a request to \
the Directory Server that could not be properly decoded as an LDAP message: \
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown"
Regards,
Ludovic.
- - -
Error! Filename not specified.
<http://www.forgerock.com/>
Ludovic Poitou - ForgeRock France SAS
e: ludovic.poitou at forgerock.com<mailto:ludovic.poitou at forgerock.com>
t: +33 625 14 96 92
w: www.forgerock.com<http://www.forgerock.com/>
blog: http://ludopoitou.wordpress.com
On Thu, May 19, 2011 at 3:12 AM, Alex Shmelkin <ashmelkin at \
cashedge.com<mailto:ashmelkin at cashedge.com>> wrote: I am new to OpenDJ (migrating \
from Sun EE 6.3) and have a few installation questions. I am creating 2 instances for \
OpenAM - users and config and need to configure each for MMR. We have 2 hosts host1 \
and host2 and on each I installed (unzipped) a separate directory. Basically I have 2 \
dirs $HOME/DS/users and $HOME/DS/config on each of the host. We also want to \
configure LDAPS ports for all the instances, so we use real SSL certificate stored in \
a keystore.jks.
I have following questions please:
1. Is cloning of the OpenDJ directory the right way to go, when creating \
multiple instances on one host?
2. Is there a web console for OpenDJ?
3. We tried using control_panel from a remote desktop, and it opens OK, but \
when we want to open "Manage Entries" we are getting
4.Top of Form
Connection Error
An error occurred trying to connect to the server to read data. Details: \
javax.naming.CommunicationException: myhost:1601 [Root exception is \
java.net.ConnectException: Connection refused: connect]
5.Bottom of Form
port 1601 is LDAPS port. All other items work without issues. I checked log files - \
and there is no errors there. Can you please advise?
Thanks,
Alex
_______________________________________________
OpenDJ mailing list
OpenDJ at forgerock.org<mailto:OpenDJ at forgerock.org>
https://lists.forgerock.org/mailman/listinfo/opendj
_______________________________________________
OpenDJ mailing list
OpenDJ at forgerock.org<mailto:OpenDJ at forgerock.org>
https://lists.forgerock.org/mailman/listinfo/opendj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/opendj/attachments/20110519/8ee6691a/attachment.html \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD000.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD000.jpg
Url : http://lists.forgerock.org/pipermail/opendj/attachments/20110519/8ee6691a/attachment.jpg \
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic