无法使用Spring模板通过SSL连接到LDAP服务器 [英] Unable to connect to LDAP server over ssl using spring template

问题描述

我正在使用spring模板通过ssl连接到ldap服务器.我使用以下命令从服务器保存ssl证书:

I am using spring template to connect to ldap server over ssl. I used the following command to save ssl certificate from server:

echo -n | openssl s_client -connect <ldapserverip>:<port> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem

然后转到/jre/lib/security目录，并执行以下命令将证书添加到cacerts.

Then went to /jre/lib/security directory and executed the following command to add certificate to cacerts.

keytool -import -keystore cacerts -file ldapserver.pem

然后使用以下命令验证cacerts条目列表中的计数:

Then verified the count in list of entries in cacerts using the command:

keytool -list -keystore cacerts

我正在tomcat中运行该应用程序，并且tomcat指向相同的JDK_HOME.

I am running the application in tomcat and tomcat is pointed to same JDK_HOME.

在使用spring的ldapTemplate中使用authenticate()登录时，我在tomcat中遇到以下异常.

I am getting the following exception in tomcat while logging in using authenticate() in ldapTemplate using spring.

Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

使用纯文本(没有https)可以正常工作.我也尝试设置VMArguments，但没有一个起作用.

It was working fine with plain text (with out https). I tried setting VMArguments as well but none of them worked.

-Djavax.net.ssl.trustStore="<path to cacerts file>"
-Djavax.net.ssl.trustStorePassword="<passphrase>"

我该如何解决这个问题?

How can i solve this issue?

谢谢

推荐答案

信任链被打破了.两个可能的原因.

Chain of trust is broken it looks like. Two possible reasons.

1. 来自服务器的证书不是单个证书，而是连接到根CA的链，并且您仅导入了一个.您需要验证并导入完整的链.

1. The certificate from server is not a single certificate but a chain up to root CA and you have imported only one. You need to verify and import that complete chain.

a.要检查证书链，请使用openssl

a. To check the certificate chain, dump it using openssl

>openssl s_client -showcerts -connect host:port

b.要导入链，您需要将PEM转换为PKCS#7或拆分.

b. To import the chain you need either convert PEM to PKCS#7 or split.

i. 将PEM转换为PKCS#7

ii. Split

在导入证书时，请使用"-trustcacerts"选项，以便将密钥库中的证书视为信任链.

While importing the certificate use "-trustcacerts" option so that certificates from keystore are considered for chain of trust.

>keytool -import -trustcacerts -file /path/ldapserver.pem -alias somealias -keystore /security/cacerts

这篇关于无法使用Spring模板通过SSL连接到LDAP服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！