WSO2 Identity Server with OpenLDAP and SSL

1
votes

I'm trying to setup a new WSO2IS 4.1.0 server and connect it back to an OpenLDAP server. Our server requires an SSL connection.

When I configure the connection to be an LDAPS connection I'm unable to verify the certificate (yes the root CA is in the trust store). If I don't set the connection to LDAPS then it fails to attempt a StartTLS. I have verified that my connection account works and the LDAP server has a commercially issued certificate (don't let the example.com domain fool you, I scrubbed) with the root CA listed in the client-truststore.jks

Any help in figuring this out would be appreciated!

Here's my current configuration segment for the LDAP configuration

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
    <Property name="ConnectionURL">ldaps://ldapserver.example.com:636</Property>
    <!--Property name="ConnectionURL">ldap://ldapserver.example.com:389</Property-->
    <Property name="ConnectionName">uid=wso2,dc=example,dc=com</Property>
    <Property name="ConnectionPassword">awesomepassword</Property>
    <Property name="passwordHashMethod">SHA</Property>
    <Property name="UserNameListFilter">(objectClass=person)</Property>
    <Property name="UserEntryObjectClass">inetOrgPerson</Property>
    <Property name="UserSearchBase">ou=Users,dc=opendaylight,dc=org</Property>
    <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
    <Property name="UserNameAttribute">uid</Property>
    <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
    <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
    <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
    <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
    <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
    <Property name="ReadLDAPGroups">true</Property>
    <Property name="WriteLDAPGroups">true</Property>
    <Property name="EmptyRolesAllowed">false</Property>
    <Property name="GroupSearchBase">ou=Groups,dc=example,dc=com</Property>
    <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
    <Property name="GroupEntryObjectClass">groupOfNames</Property>
    <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
    <Property name="GroupNameAttribute">cn</Property>
    <Property name="MembershipAttribute">member</Property>
    <Property name="UserRolesCacheEnabled">true</Property>
    <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
    <Property name="maxFailedLoginAttempt">0</Property>
</UserStoreManager>

Here's a portion of the server log

[2013-02-28 03:48:32,380]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Starting WSO2 Carbon...
[2013-02-28 03:48:32,383]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Operating System : Linux 2.6.32-358.el6.x86_64, amd64
[2013-02-28 03:48:32,383]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Java Home        : /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre
[2013-02-28 03:48:32,383]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Java Version     : 1.7.0_09-icedtea
[2013-02-28 03:48:32,383]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Java VM          : OpenJDK 64-Bit Server VM 23.7-b01,Oracle Corporation
[2013-02-28 03:48:32,383]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Carbon Home      : /opt/wso2is/wso2is
[2013-02-28 03:48:32,384]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Java Temp Dir    : /opt/wso2is/wso2is/tmp
[2013-02-28 03:48:32,384]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  User             : wso2is, en-US, Zulu
[2013-02-28 03:48:32,416]  WARN {org.wso2.carbon.core.bootup.validator.SystemValidator} -  Could not validate the system for configuration parameter : CPU
[2013-02-28 03:48:32,417]  WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} -  Maximum free Disk Space (MB): 665 of the system is below the recommended minimum size :1024
[2013-02-28 03:48:32,427]  INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} -  Agent created !
[2013-02-28 03:48:32,446]  INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} -  Successfully deployed Agent Client
[2013-02-28 03:48:32,515]  INFO {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator} -  Integrated Windows Authenticator enabled in the system
[2013-02-28 03:48:32,581]  INFO {org.wso2.carbon.ldap.server.DirectoryActivator} -  Embedded LDAP is disabled.
[2013-02-28 03:48:34,547] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} -  Error obtaining connection. simple bind failed: ldapserver.example.com:636
javax.naming.CommunicationException: simple bind failed: ldapserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
    at org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContextFactory.getInitialContext(CarbonContextDataHolder.java:834)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
    at javax.naming.InitialContext.init(InitialContext.java:242)
    at javax.naming.InitialContext.<init>(InitialContext.java:216)
    at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
    at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:114)
    at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.<init>(ReadWriteLDAPUserStoreManager.java:133)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
    at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:225)
    at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:147)
    at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:113)
    at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223)
    at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:103)
    at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:116)
    at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:67)
    at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702)
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683)
    at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381)
    at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:389)
    at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1130)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1)
    at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
    at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
    at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
    at com.sun.jndi.ldap.Connection.run(Connection.java:849)
    at java.lang.Thread.run(Thread.java:722)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 18 more
[2013-02-28 03:48:34,556] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} -  Trying again to get connection.

Here's what I get if I switch it up to the plain ldap connectionURL

[2013-02-28 04:22:21,491]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Starting WSO2 Carbon...
[2013-02-28 04:22:21,494]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Operating System : Linux 2.6.32-358.el6.x86_64, amd64
[2013-02-28 04:22:21,494]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Java Home        : /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre
[2013-02-28 04:22:21,494]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Java Version     : 1.7.0_09-icedtea
[2013-02-28 04:22:21,494]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Java VM          : OpenJDK 64-Bit Server VM 23.7-b01,Oracle Corporation
[2013-02-28 04:22:21,494]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Carbon Home      : /opt/wso2is/wso2is
[2013-02-28 04:22:21,494]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  Java Temp Dir    : /opt/wso2is/wso2is/tmp
[2013-02-28 04:22:21,494]  INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} -  User             : wso2is, en-US, Zulu
[2013-02-28 04:22:21,524]  WARN {org.wso2.carbon.core.bootup.validator.SystemValidator} -  Could not validate the system for configuration parameter : CPU
[2013-02-28 04:22:21,525]  WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} -  Maximum free Disk Space (MB): 665 of the system is below the recommended minimum size :1024
[2013-02-28 04:22:21,541]  INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} -  Agent created !
[2013-02-28 04:22:21,562]  INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} -  Successfully deployed Agent Client
[2013-02-28 04:22:21,624]  INFO {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator} -  Integrated Windows Authenticator enabled in the system
[2013-02-28 04:22:22,711]  INFO {org.wso2.carbon.ldap.server.DirectoryActivator} -  Embedded LDAP is disabled.
[2013-02-28 04:22:27,432] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} -  Error obtaining connection. [LDAP: error code 13 - confidentiality required]
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality required]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3078)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
    at org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContextFactory.getInitialContext(CarbonContextDataHolder.java:834)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
    at javax.naming.InitialContext.init(InitialContext.java:242)
    at javax.naming.InitialContext.<init>(InitialContext.java:216)
    at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
    at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:114)
    at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.<init>(ReadWriteLDAPUserStoreManager.java:133)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
    at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:225)
    at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:147)
    at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:113)
    at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223)
    at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:103)
    at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:116)
    at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:67)
    at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702)
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683)
    at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381)
    at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:389)
    at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1130)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438)
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1)
    at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
    at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)
[2013-02-28 04:22:27,437] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} -  Trying again to get connection.
1
sslldapwso2openldapwso2is
As a work around to still not being able to verify the certificate from root CA through a sub-authority (both of which are in the trust store) I've found that importing the public cert of the target LDAP does get around the problem. It's just not particularly a good way to deal with this since that cert is only valid for 1 year and the CA for much longer!tykeal

1 Answers

0
votes

Try adding the CA cert to repository/resources/security/wso2carbon.jks and if your cert has any intermediate signers, you may also need to import the whole chain as a single entry.