Java 代码无法连接安全的 openldap?
Java code Not able to connect with secure openldap?
我使用以下命令为 OpenLdap 创建了一个证书
openssl req -new -x509 -nodes -out /etc/openldap/certs/ldap.crt -keyout /etc/openldap/certs/ldap.key -days 1460
进行了其余设置,我能够通过 Apache Directory Studio 将 Openldap 与 Port 636 连接。
现在的挑战是我编写了一个简单的 Java 程序来连接 Openldap 并执行一些基本操作,例如创建 user/Create Group/Delete etc.Before 我导入证书在本地机器中 Java Keystore 通过 keytool 命令
keytool -import -noprompt -trustcacerts -alias "ldap1" -file ldap.crt -keystore "C:\Program Files\Java\jdk1.8.0_221\jre\lib\security\cacerts"
添加成功
现在在 C:\Windows\System32\drivers\etc\hosts 文件中为 <IP-ADDRESS> HOSTNAME 创建了一个条目,但是 Java 程序抛出错误
javax.naming.CommunicationException: simple bind failed: surerest2:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at com.asiainfo.bdx.ocdp.LdapClient.initLDAPContext(LdapClient.java:148)
at com.asiainfo.bdx.ocdp.LdapClient.createLDAPUser(LdapClient.java:30)
at com.asiainfo.bdx.ocdp.LdapClientTest.main(LdapClientTest.java:14)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read1(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at com.sun.jndi.ldap.Connection.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 19 more
Exception in thread "main" java.lang.NullPointerException
at com.asiainfo.bdx.ocdp.LdapClient.closeLdapContext(LdapClient.java:157)
at com.asiainfo.bdx.ocdp.LdapClient.createLDAPUser(LdapClient.java:49)
at com.asiainfo.bdx.ocdp.LdapClientTest.main(LdapClientTest.java:14)
经过几天的努力,问题在 InstallCert 的帮助下得到解决,并且运行良好。我做了什么?
下载 InstallCert 项目
编译java文件javac InstallCert.java
访问服务器并尝试获取证书java InstallCert <IP ADDRESS>:<PORT>从您要下载服务器的位置提供 Ip address/Port,在我的例子中是 Openldap 服务器详细信息。
从创建的 jssecacerts 密钥库中提取证书 keytool -importcert -alias "1xx.2xx.1xx.97-1" -keystore "C:\Program Files\Java\jre1.8.0_221\lib\security\cacerts" -storepass changeit -file surerest2 这里 1xx.2xx.1xx.97-1 这个端口号和 surerest2 是 hostname
将证书导入系统密钥库keytool -importcert -alias "1xx.2xx.1xx.97-1" -keystore /workspace/tools/jdk/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/lib/security/cacerts -storepass changeit -file surerest2
并且此更改非常有效
我使用以下命令为 OpenLdap 创建了一个证书
openssl req -new -x509 -nodes -out /etc/openldap/certs/ldap.crt -keyout /etc/openldap/certs/ldap.key -days 1460
进行了其余设置,我能够通过 Apache Directory Studio 将 Openldap 与 Port 636 连接。
现在的挑战是我编写了一个简单的 Java 程序来连接 Openldap 并执行一些基本操作,例如创建 user/Create Group/Delete etc.Before 我导入证书在本地机器中 Java Keystore 通过 keytool 命令
keytool -import -noprompt -trustcacerts -alias "ldap1" -file ldap.crt -keystore "C:\Program Files\Java\jdk1.8.0_221\jre\lib\security\cacerts"
添加成功
现在在 C:\Windows\System32\drivers\etc\hosts 文件中为 <IP-ADDRESS> HOSTNAME 创建了一个条目,但是 Java 程序抛出错误
javax.naming.CommunicationException: simple bind failed: surerest2:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at com.asiainfo.bdx.ocdp.LdapClient.initLDAPContext(LdapClient.java:148)
at com.asiainfo.bdx.ocdp.LdapClient.createLDAPUser(LdapClient.java:30)
at com.asiainfo.bdx.ocdp.LdapClientTest.main(LdapClientTest.java:14)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read1(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at com.sun.jndi.ldap.Connection.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 19 more
Exception in thread "main" java.lang.NullPointerException
at com.asiainfo.bdx.ocdp.LdapClient.closeLdapContext(LdapClient.java:157)
at com.asiainfo.bdx.ocdp.LdapClient.createLDAPUser(LdapClient.java:49)
at com.asiainfo.bdx.ocdp.LdapClientTest.main(LdapClientTest.java:14)
经过几天的努力,问题在 InstallCert 的帮助下得到解决,并且运行良好。我做了什么?
下载 InstallCert 项目
编译java文件
javac InstallCert.java访问服务器并尝试获取证书
java InstallCert <IP ADDRESS>:<PORT>从您要下载服务器的位置提供 Ip address/Port,在我的例子中是 Openldap 服务器详细信息。从创建的 jssecacerts 密钥库中提取证书
keytool -importcert -alias "1xx.2xx.1xx.97-1" -keystore "C:\Program Files\Java\jre1.8.0_221\lib\security\cacerts" -storepass changeit -file surerest2这里1xx.2xx.1xx.97-1这个端口号和surerest2是hostname将证书导入系统密钥库
keytool -importcert -alias "1xx.2xx.1xx.97-1" -keystore /workspace/tools/jdk/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/lib/security/cacerts -storepass changeit -file surerest2并且此更改非常有效