如何接受JNDI / LDAP连接的自签名证书? [英] how to accept self-signed certificates for JNDI/LDAP connections?
问题描述
我需要通过SSL连接到LDAP目录。
I need to connect to an LDAP directory over SSL.
在非生产环境中,我们使用自签名证书,当然,这些证书无法验证:
In non-production environments, we use self-signed certificates which, of course, fails to validate with:
javax.naming.CommunicationException: simple bind failed: ldapserver:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
我知道如何使用自定义信任管理器,用于启用SSL的连接,但不知道如何使用连接JNDI API的方法我不管理实际连接的地方。也就是说,以下标准设置在哪里可以插入信任管理器?
I am aware of how to use a custom trust manager for SSL-enabled connections, but don't know how to use one in connection with the JNDI API where I don't manage the actual connection. That is, where is the following standard setup will I be able to plug the trust manager?
提前致谢。
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://ldapserver:636");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "myUser");
env.put(Context.SECURITY_CREDENTIALS, "myPassword");
LdapContext ctx = new InitialLdapContext(env, null);
ctx.search (...)
推荐答案
根据JNDI文档,似乎可以设置自定义 SSLSocketFactory
According to the JNDI documentation it seems possible to set a custom SSLSocketFactory
http://download.oracle.com/javase/1.5。 0 / docs / guide / jndi / jndi-ldap-gl.html #socket
public class MySSLSocketFactory extends SocketFactory {
private static final AtomicReference<MySSLSocketFactory> defaultFactory = new AtomicReference<>();
private SSLSocketFactory sf;
public MySSLSocketFactory() {
KeyStore keyStore = ... /* Get a keystore containing the self-signed certificate) */
TrustManagerFactory tmf = TrustManagerFactory.getInstance();
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);
sf = ctx.getSocketFactory();
}
public static SocketFactory getDefault() {
final MySSLSocketFactory value = defaultFactory.get();
if (value == null) {
defaultFactory.compareAndSet(null, new MySSLSocketFactory());
return defaultFactory.get();
}
return value;
}
@Override
public Socket createSocket(final String s, final int i) throws IOException {
return sf.createSocket(s, i);
}
@Override
public Socket createSocket(final String s, final int i, final InetAddress inetAddress, final int i1) throws IOException {
return sf.createSocket(s, i, inetAddress, i1);
}
@Override
public Socket createSocket(final InetAddress inetAddress, final int i) throws IOException {
return sf.createSocket(inetAddress, i);
}
@Override
public Socket createSocket(final InetAddress inetAddress, final int i, final InetAddress inetAddress1, final int i1) throws IOException {
return sf.createSocket(inetAddress, i, inetAddress1, i1);
}
}
配置环境以使用此套接字工厂
Configure the environment to use this socket factory
env.put("java.naming.ldap.factory.socket", "com.example.MySSLSocketFactory");
这篇关于如何接受JNDI / LDAP连接的自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!