Closed GoogleCodeExporter closed 9 years ago
Most likely cause is that your importing certificates to a different keystore
from the one tomcat/pwm is using. Make sure the keystore your importing to is
the same keystore the jvm tomcat is running with.
Alternatively, you can use a one of the nightly pwm builds which has an
auto-import ldap certificate feature.
Original comment by jrivard
on 1 Apr 2013 at 4:44
Issue 351 has been merged into this issue.
Original comment by jrivard
on 2 Apr 2013 at 3:45
[deleted comment]
Jrivard, many thanks for your fast answer.
I know the problem about placement of keystore in the filesystem.
I have create the .keystore-file in the roots home directory. Then I have
copied this file
into the /opt/apache.../webapps directory because this location is configured
in the
apache tomcat configuration file "server.xml" under the section "connector" for
the
location of keystorefile in the filesystem.
Additionally I have copied the .keystore file to $JAVA_HOME/lib/security
(but I think, this ist not necessary in my case).
But the .keystore file on that three places do not help to solve the problem.
I have attached the content of my keystore file.
There you can see three entries (aliases): root, tomcat and sles-2.
Root is the CA's self-signed-certificate (importet with keytool and the
parameter -trustcacerts).
Tomcat ist the sles-1-certificate signed by the trusted root CA.
(There you can see the certificate chain with two certificates.)
On the machine sles-1 apache tomcat and pwm is installed and running.
Sles-2 is the machine with the eDirectory. The server certificate of sles-2
is also issued by the trusted root CA, but there I cannot see a certificate
chain
like in tomcat-certificate. Is this correct? I dont know?!?!
You have written:
"Alternatively, you can use a one of the nightly pwm builds which has an
auto-import ldap certificate feature."
I have already read this but I cannot find this build. Where can I get this new
version of pwm?
Nevertheless I'm very interested to know, what's the solution of my problem.
Original comment by tui-...@tenno.com
on 3 Apr 2013 at 8:48
Attachments:
Sorry but I do not think this case and mine are the same.
I have a public certificate (Terena), and so according to the manual "
You use the certificate Issued by the Generally Recognized commercial
certificate authority. The authority of this certificate Should Already be in
the certificate database. If the LDAP server name in the URL is identical to
the common name of the certificate, you're done. "
So I do not see how this information can help me. You can specify?
Original comment by uaberta...@gmail.com
on 4 Apr 2013 at 3:38
Sorry, these issues are between your ldap directory and the Java crypto engine.
PWM is not involved. The errors may not be related, but are both generated by
the Java crypto libraries, not PWM. You can try asking for help on the
pwm-general google group, or a Java/SSL related forum elsewhere.
As I mentioned, you can use PWM's certificate validator which is in the current
builds (not in 1.6.4). Click "daily builds" on the project home page to
access. This uses PWM custom libraries to import and validate ldaps
certificates.
Original comment by jrivard
on 5 Apr 2013 at 1:15
Thanks for your answer.
Now I have installed the latest build of pwm. Then I imported the certificates
using the pwm menue - and all works fine! I'm happy!
But I can not understand why my fist attempt failed.
Where pwm does save the certificates imported by pwm's menue?
Best regards!
Original comment by tui-...@tenno.com
on 15 Apr 2013 at 9:24
The certs auto-imported by PWM are stored in the PwmConfiguration.xml. There
is a custom SSL Validator used to check those certs against the LDAP
connection.
If your curious, the format they are stored in the PWmConfiguration.xml is
simply the standard base64 DER format. You can copy and paste the base64 blob
to a .der file and put the usual --BEGIN CERT HERE-- style lines before and
after the blob and you can then use standard certificate manager tools
(including keytool) to view them.
Original comment by jrivard
on 15 Apr 2013 at 12:33
Original issue reported on code.google.com by
tui-...@tenno.com
on 28 Mar 2013 at 4:05