Basic SSL LDAP Access With Java

Download OpenDS

An earlier entry demonstrating LDAP Basics with Java uses an unsecured LDAP connection even for authentication. Someone who gets the packets could get the passwords when users do simple authentication. So that scheme will not work in some environments.

One way to get around the problem is to enable SSL (LDAPS) on the LDAP server, and then connect over SSL. If you have official certificates recognized by your Java development kit, moving from an unsecured to a secure SSL connection is as easy as changing the LDAP URL you use to connect. For example, if your Java code currently uses this JNDI:

int port = 389; // Default for LDAP
env.put(Context.PROVIDER_URL, "ldap://" + server + ":" + port + "/");

You need only make sure port is pointing to the SSL port, by default 636 instead of 389, and add an s:

int port = 636; // Default for LDAPS
env.put(Context.PROVIDER_URL, "ldaps://" + server + ":" + port + "/");

The OpenDS server on my laptop is using a self-signed cert for testing. I found a blog entry on how to get that cert easily into %JAVA_HOME%\\jre\\lib\\security\\jssecacerts. See http://blogs.sun.com/andreas/entry/no_more_unable_to_find and the InstallCert.java code posted there.

The laptop has hostname FR-MCRAIG-01, so here is how I got the OpenDS server cert into the keystore.

C:\\Program Files\\Java\\jdk1.6.0_10\\jre\\lib\\security>java InstallCert FR-MCRAIG-01:1636
Loading KeyStore C:\\Program Files\\Java\\jdk1.6.0_10\\jre\\lib\\security\\cacerts...
Opening connection to FR-MCRAIG-01:1636...
Starting SSL handshake...

...

Server sent 1 certificate(s):

 1 Subject CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate
   Issuer  CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate
   sha1    c8 65 09 20 6d cd ce 49 74 79 94 db c5 de c0 9e 88 22 bf 2e
   md5     91 00 22 b5 af af ce 6f 18 4f d0 53 2a 25 25 79

Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

[
[
  Version: V3
  Subject: CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 959636547431068463830836243017478926177556680160559342022702329015019
40821365387949638940708183584259305099964566669834719666082227059496757860621285
33579944708236976067614804323567219627938381230112392624635758595410619743902787
1114358806677720711353274033441757994535828245906353046883352879347380951654609
  public exponent: 65537
  Validity: [From: Tue Aug 04 15:35:44 CEST 2009,
               To: Thu Aug 04 15:35:44 CEST 2011]
  Issuer: CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate
  SerialNumber: [    4a783930]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 60 21 E2 C0 09 D5 11 C8   80 91 55 44 A3 C3 D2 39  `!........UD...9
0010: 37 04 89 76 31 0E 40 9F   11 6D 79 E9 CB 14 1D 63  7..v1.@..my....c
0020: 6B 7B 0E 2A DF 74 18 BD   59 07 44 73 72 C0 D3 EA  k..\*.t..Y.Dsr...
0030: 61 E1 A7 79 90 EE 73 AB   A0 40 FF F7 A9 F5 CA 0B  a..y..s..@......
0040: 6E FE 81 14 E3 1B 5C 50   83 96 9B B7 23 8C 8C ED  n.....\\P....#...
0050: 7D 1C 22 BA DF 20 8D F4   82 8D 72 20 2C 31 41 3D  ..".. ....r ,1A=
0060: 36 01 95 78 23 C2 46 56   D1 9E DC E4 22 E9 0E A9  6..x#.FV...."...
0070: 99 2E 27 EC 96 D4 41 F2   C0 7A 89 2D 02 AF FB F5  ..'...A..z.-....

]

Added certificate to keystore 'jssecacerts' using alias 'FR-MCRAIG-01-1'

In InstallCert.java the default passphrase is changeit. In addition to the change of port number and the use of ldaps:// instead of ldap://, I added this Java to the top of the conf.jsp in the application posted.

// Use the keystore that contains the OpenDS cert
String keystorePath = System.getProperty("java.home") +
        "\\\\lib\\\\security\\\\jssecacerts";
System.setProperty("javax.net.ssl.keyStore", keystorePath);
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");

Hope it helps.

Comments:

Hi

I read your post on the certificates but try and put the hostname InstallCert java command what is not is where I get my hostname is the page you want to access or as separate and sends me this error

Exception in thread "main" java.lang.NoClassDefFoundError: InstallCert
Caused by: java.lang.ClassNotFoundException: InstallCert
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
Could not find the main class: InstallCert. Program will exit.

and does not Can you help me thanks

Posted by Tania on January 09, 2011 at 06:11 PM CET #

Hello Tania,

Looking at the exception, it seems you do not have InstallCert in your classpath. I suppose either you'll need to put the directory with InstallCert.class in your class path. Or if you have not yet compiled the code, make sure you have the InstallCert.java from Andreas's blog (http://blogs.sun.com/andreas/resource/InstallCert.java).

Hope that helps. Regards,
Mark

Posted by Mark Craig on January 10, 2011 at 12:39 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Mark Craig writes about Directory Services products and technologies. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today