LDAPS connection failed

Douglas E. Engert deengert at anl.gov
Thu Jul 18 10:35:27 EDT 2013


Are you trying to use ECDH?

You may also want to Google for: TLS java ecdh

What version of Java on IDP?

What LDAP server and version?


On 7/18/2013 7:39 AM, Norman B. wrote:
> Hello all,
>
> After passing successful tests with plain LDAP, I tried to set up a
> secure connection between Shibboleth Identity Provider 2.4.0 and our
> LDAP server via LDAPS, but it failed. I get the following errors in
> idp-warn.log:
>
> 14:03:54.062 - WARN [edu.vt.middleware.ldap.auth.SearchDnResolver:1105]
> - Error performing LDAP operation, retrying (attempt 0)
> javax.naming.CommunicationException: simple bind failed: ldap.xxxxxxx.de:636
>           at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
>           at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>           at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>           at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> Caused by: javax.net.ssl.SSLException: Server key
>           at
> sun.security.ssl.Handshaker.throwSSLException(Handshaker.java:1274)
>           at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
>           at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
>           at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
> Caused by: java.security.spec.InvalidKeySpecException: Could not create
> EC public key
>           at
> sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:169)
>           at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
>           at
> sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1057)
>           at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:218)
> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
> CKR_DOMAIN_PARAMS_INVALID
>           at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
>           at
> sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:233)
>           at
> sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:164)
>           at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
>
> Although the LDAP server does not use a self-signed certificate, I still
> imported the whole cert chain into the JDK truststore with the following
> command:
>
> 'keytool -import -trustcacerts -alias "ldap.xxxxxxx.de" -file
> path/to/cert.pem -keystore $JAVA_HOME/lib/security/cacerts'
>
> The login.config for Username/Password login handler:
>
> ShibUserPassAuth {
>      edu.vt.middleware.ldap.jaas.LdapLoginModule required
>         ldapUrl="ldaps://ldap.xxxxxxx.de"
>         ssl="true"
>         baseDn="ou=people,dc=xxxxxxx,dc=de"
>         userFilter="uid={0}";
> };
>
> I am at my wit's end. Does anybody had a similar problem and found a
> solution?
> Thanks in advance.
>
> Kind regards,
> Norman
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the users mailing list