我一直在努力让Start Tls为我的ldap服务器工作。我在一个spring上下文文件中配置了一个keystore和密码。我的配置似乎适用于SSL,但Star Tls正在导致鸡皮疙瘩。我已将StarTlsHandler作为ExtendedOperationHandler添加到LDAP服务器的包装中。我是否还需要配置其他任何内容。StartTls,ApacheDS问题
我使用JDK 1.6.0_15
密钥库和密码的那一刻是硬编码,他们似乎确定,当我使用SSL或调试。
我正在使用JLdap客户端来测试我的实现。
这是我为Handler添加的代码片段: ldapServer.setKeystoreFile(“C:/jdk/dgekey.ks”); ldapServer.setCertificatePassword(“secret”); ldapServer.addExtendedOperationHandler(new StartTlsHandler());
在下面可以看到,在服务器端堆栈跟踪,客户跟踪是进一步向下:
2011-05-10 12:51:29345 [rThread-4861-21] DEBUG [org.apache.directory。 server.ldap.handlers.extended.StartTlsHandler]设置LDAP服务 2011-05-10 12:51:29,345 [rThread-4861-21] DEBUG [org.apache.directory.server.ldap.handlers.extended.StartTlsHandler] provider = SUN版本1.6 2011-05-10 12:58:31,029 [rThread-4861-21]错误[org.apache.directory.server.core.security.CoreKeyStoreSpi] ERR_68尝试提取密钥失败。 java.lang.IllegalStateException:ERR_436用于主体的名称必须标准化! 在org.apache.directory.server.core.LdapPrincipal。(LdapPrincipal.java:76) 在org.apache.directory.server.core.security.CoreKeyStoreSpi.getTlsEntry(CoreKeyStoreSpi.java:84) 在org.apache .directory.server.core.security.CoreKeyStoreSpi.engineGetKey(CoreKeyStoreSpi.java:231) at java.security.KeyStore.getKey(KeyStore.java:763) at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl 。(SunX509KeyManagerImpl.java:113) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl $ SunX509.engineInit(KeyManagerFactoryImpl.java:48) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java: 239) at org.apache.directory.server.ldap.handlers.extended.StartTlsHandler.setLdapServer(StartTlsHandler.java:170) at org.apa che.directory.server.ldap.LdapServer.startNetwork(LdapServer.java:542) at org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:446) at com..ldap.apacheds.LdapServerWrapper .afterPropertiesSet(LdapServerWrapper.java:103) 在org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1469) 在org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java :1409) 在org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519) 在org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) 在org.springframework.beans.factory.support.AbstractBeanFactory $ 1.getObject(AbstractBeanFactory.java:291) 在org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) 在org.springframework .beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190) at org.springframework.beans.factory.support 。DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:574) 在org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895) 在org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425) at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276) at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197) at org.springframework.web.context。 ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47) 在org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4655) 在org.apache.catalina.core.StandardContex t.start(StandardContext.java:5364) at com.sun.enterprise.web.WebModule.start(WebModule.java:345) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:986) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:970) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:704) at com.sun.enterprise.web。 WebContainer.loadWebModule(WebContainer.java:1649) 在com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1254) 在com.sun.enterprise.server.WebModuleDeployEventListener.moduleDeployed(WebModuleDeployEventListener.java:182) 在com.sun.enterprise.server.WebModuleDeployEventListener.moduleDeployed(WebModuleDeployEventListener.java:278) at com.sun.enterprise.admin.event.AdminEventMulticaster.invokeModuleDeployEventListener(AdminEventMulticaster.java:1005) at com.sun.enterprise.admin.event.AdminEventMulticaster.handleModuleDeployEvent(AdminEventMulticaster.java:992) at com.sun。 enterprise.admin.event.AdminEventMulticaster.processEvent(AdminEventMulticaster.java:470) at com.sun.enterprise.admin.event.AdminEventMulticaster.multicastEvent(AdminEventMulticaster.java:182) at com.sun.enterprise.admin.server。 core.DeploymentNotificationHelper.multicastEvent(DeploymentNotificationHelper.java:308) at com.sun.enterprise.deployment.phasing.DeploymentServiceUtils.multicastEvent(DeploymentServiceUtils.java:231) at com.sun.enterprise.deployment.phasing.ServerDeploymentTarget.sendStartEvent( ServerDeploymentTarget.java:298) at com.sun.enterprise.deployment.phasing.ApplicationStartPhase.runPhase(ApplicationStartPhase.java:132) at com.sun.enterprise.deployment.phasing.DeploymentPhase.executePhase(DeploymentPhase.java:108) at com.sun。 enterprise.deployment.phasing.PEDeploymentService.executePhases(PEDeploymentService.java:966) at com.sun.enterprise.deployment.phasing.PEDeploymentService.start(PEDeploymentService.java:609) at com.sun.enterprise.deployment.phasing。 PEDeploymentService.start(PEDeploymentService.java:653) at com.sun.enterprise.admin.mbeans.ApplicationsConfigMBean.start(ApplicationsConfigMBean.java:773) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect .NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 在sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 在java.lang.reflect.Method.invoke(Method.java:597) 在com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper。的java:390) 在com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper.java:373) 在com.sun.enterprise.admin.config.BaseConfigMBean.invoke(BaseConfigMBean.java:477) 在融为一体。 sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) 在com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) 在sun.reflect.GeneratedMethodAccessor15.invoke(未知来源) 在sun.reflect.DelegatingMethodAccessorImpl。调用(DelegatingMethodAccessorImpl.java:25) at com.un.reflect.Method.invoke(Method.java:597) at com.sun.enterprise.admin.util.proxy.ProxyClass.invoke(ProxyClass.java:90) (未知源) at com.sun.enterprise.admin.server.core.jmx.SunoneInterceptor.invoke(SunoneInterceptor.java:304) at com.sun.enterprise.interceptor.DynamicInterceptor.invoke( DynamicInterceptor.java:170) at com.sun.enterprise.admin.jmx.remote.server.callers.InvokeCaller.call(InvokeCaller.java:69) at com.sun.enterprise.admin.jmx.remote.server。 MBeanServerRequestHandler.handle(MBeanServerRequestHandler.java:155) at com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.processRequest(RemoteJmxConnectorServlet.java:122) 在com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.doPost(RemoteJmxConnectorServlet.java:193) 在javax.servlet.http.HttpServlet.service(HttpServlet.java:754) 在的javax。 servlet.http.HttpServlet.service(HttpServlet.java:847) at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:427) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve。的java:315) 在org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:287) 在org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218) 在org.apache。 catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648) at或g.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593) 在com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94) 在com.sun.enterprise.web.PESessionLockingStandardPipeline。调用(PESessionLockingStandardPipeline.java:98) 在org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222) 在org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648) 在org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587) at org.apache.catalina.core.ContainerBase。调用(ContainerBase.java:1093) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166) 在org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648) 在org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593) 在org.apache.catalina.core。 StandardPipeline.invoke(StandardPipeline.java:587) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:291) 在com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:666) 在com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:597) 在com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:872) 在com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341) 在com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263) 在COM .sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214) at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:264) at com.sun .enterprise.web.connector.grizzly.WorkerThreadImpl.run(WorkerThreadImpl.java:117)
* 客户端通过javax.net进行跟踪。调试=所有; *
keyStore在:C:/ JDK/cacerts中 密钥仓库类型是:JKS 密钥库提供的是: 初始化密钥库型SunX509 的trustStore的 INIT的KeyManager是:C:\ JDK \ cacerts中 的trustStore类型是:JKS 的trustStore提供商是: 初始化信任 添加为受信任的证书: 主题:CN = SwissSign铂CA - G2,O = SwissSign AG,C = CH 发行商:CN = SwissSign铂CA - G2,O = SwissSign AG ,C = CH 算法:RSA;编号:0x4eb200670c035d4f 有效期从星期三10月25日10:36:00 2006年CEST直到周六10月25日10:36:00 CEST 2036
的SecureRandom 的触发播种完成播种的SecureRandom %%无缓存的客户端会话 * ClientHello,TLSv1 RandomCookie:GMT:1288255192 bytes = {100,146,27,29,47,10,97,247,253,145,49,147,239,157,90,4,34,15,99 ,243,191,156,251,25,64,42,210,231} 会话ID:{} 密码套件:[SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] 压缩方法:{0}
[写入] MD5和SHA1哈希值:LEN = 73 0000:01 00 00 45 03 01 4D C9 37 D8 64 92 1B 1D 2F 0A ... E..M.7.d ... /。 0010:61 F7 FD 91 31 93 EF 9D 5A 04 22 0F 63 F3 BF 9C a ... 1 ... Z。“。c ... 0020:FB 19 40 2A D2 E7 00 00 1E 00 04 00 05 00 2F 00 .. @.......... /。 0030:33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2 .......... ... 0040:03 00 08 00 14 00 11 01 00 ......... main,WRITE:TLSv1 Handshake,length = 73 [写入] MD5和SHA1散列:len = 98 0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 .... 9 ... ....... 0010:00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../.. 3..2 ..... 0020:C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............ @ .. 。 0030:00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................ 0040:00 11 4D C9 37 D8 64 92 1B 1D 2F 0A 61 F7 FD 91 ..M.7.d ... /。a ... 0050:31 93 EF 9D 5A 04 22 0F 63 F3 BF 9C FB 19 40 2A 1 ... Z。“c。@ 0060:D2 E7 .. main,WRITE:SSLv2 client hello message,length = 98 main,READ:TLSv1 Alert,length = 2 main,RECV TLSv1 ALERT:fatal,handshake_failure main,调用closeSocket() main,处理异常:javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure 错误:LDAPException:无法协商安全连接(91 )连接错误 javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure
@kayyagri感谢您的帮助。我在哪里可以报告这个错误,我没有在ApacheDs sitr上找到任何链接http://directory.apache.org/apacheds/1.5/downloads.html 其次,我怎么才能快速解决这个问题,因为我有截止日期接近几天时间 – 2011-05-11 08:22:32
条目uid = admin,ou =系统具有属性privateKey,publicKey和证书用您拥有的密钥和证书(可以使用Apache Directory Studio使其更容易)替换现有值。您可以在这里报告问题[https://issues.apache.org/jira/browse/DIRSERVER] – kayyagari 2011-05-11 09:40:27
再次@kayyagri并感谢您的回复, 我复制了ApacheDs服务器中存在的默认证书,从中生成了一个keystore证书并将此密钥库的路径提供给我的ldap/spring上下文文件。但是我仍然得到同样的错误。当我通过ldap实现使用它们时,使用独立apacheD的证书和密钥库不起作用。 我是否应该配置其他内容。 – 2011-05-12 13:21:24