LDAPS connection failed
Douglas E. Engert
deengert at anl.gov
Thu Jul 18 10:35:27 EDT 2013
Are you trying to use ECDH?
You may also want to Google for: TLS java ecdh
What version of Java on IDP?
What LDAP server and version?
On 7/18/2013 7:39 AM, Norman B. wrote:
> Hello all,
>
> After passing successful tests with plain LDAP, I tried to set up a
> secure connection between Shibboleth Identity Provider 2.4.0 and our
> LDAP server via LDAPS, but it failed. I get the following errors in
> idp-warn.log:
>
> 14:03:54.062 - WARN [edu.vt.middleware.ldap.auth.SearchDnResolver:1105]
> - Error performing LDAP operation, retrying (attempt 0)
> javax.naming.CommunicationException: simple bind failed: ldap.xxxxxxx.de:636
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> Caused by: javax.net.ssl.SSLException: Server key
> at
> sun.security.ssl.Handshaker.throwSSLException(Handshaker.java:1274)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
> Caused by: java.security.spec.InvalidKeySpecException: Could not create
> EC public key
> at
> sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:169)
> at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
> at
> sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1057)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:218)
> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
> CKR_DOMAIN_PARAMS_INVALID
> at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
> at
> sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:233)
> at
> sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:164)
> at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
>
> Although the LDAP server does not use a self-signed certificate, I still
> imported the whole cert chain into the JDK truststore with the following
> command:
>
> 'keytool -import -trustcacerts -alias "ldap.xxxxxxx.de" -file
> path/to/cert.pem -keystore $JAVA_HOME/lib/security/cacerts'
>
> The login.config for Username/Password login handler:
>
> ShibUserPassAuth {
> edu.vt.middleware.ldap.jaas.LdapLoginModule required
> ldapUrl="ldaps://ldap.xxxxxxx.de"
> ssl="true"
> baseDn="ou=people,dc=xxxxxxx,dc=de"
> userFilter="uid={0}";
> };
>
> I am at my wit's end. Does anybody had a similar problem and found a
> solution?
> Thanks in advance.
>
> Kind regards,
> Norman
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the users
mailing list