dirmgr
commented
3 years ago The LDAP SDK does support mutual TLS authentication. This is actually handled by the JVM's underlying support for TLS, and the only real requirement is to provide a key manager when initializing the SSL context. If you're using SSLUtil, then that means you need to provide a non-null key manager (like KeyStoreKeyManager) to the constructor.
If you're not able to successfully establish a connection when you provide a key manager but you can when there's no key manager, then that almost certainly means that the server doesn't trust the certificate that the client is presenting to it. Although you may be able to get some useful debugging information from the client (for example, by making sure that the "javax.net.debug" system property is set to "all" in the JVM before attempting any network communication), this is much more likely to be an issue with the server's configuration. The process for troubleshooting that will be specific to whatever type of directory server you're using, but I'd recommend using whatever logging or debugging facilities that server provides to see if it offers any clue as to what might be going on.
JadenKong
Hi, recently I try to use UnboundID to do tls, and I found one-way is work with correct client's trustStore and server's keyStore.
But in two-way scenario, I set up client's keyStore and server's trustStore and it seems is not working, it can connected successfully not matter what value is in this two params. Did I miss something? Can you provide some example for mutual authentication? Thanks!