使用SSL連接的OpenLdap失敗

Question

我使用LinuxMint在本地工作，並在virtualbox中安裝了帶有openldap的UbuntuServer。現在我配置folow中本指南 http://help.ubuntu-it.org/12.04/server/serverguide/it/ubuntu-1204-server.pdf TLS/SSL身份驗證，但是當我嘗試使用SSL從Java連接：

import java.io.UnsupportedEncodingException; 
import com.novell.ldap.LDAPConnection; 
import com.novell.ldap.LDAPException; 
import com.novell.ldap.LDAPJSSESecureSocketFactory;  

public class GetAuthenticated  
{  
    public static void main(String[] args) { 
     int ldapVersion = LDAPConnection.LDAP_V3; 
     int ldapPort  = LDAPConnection.DEFAULT_PORT; 
     int ldapSSLPort = LDAPConnection.DEFAULT_SSL_PORT; 
     String ldapHost = "192.168.1.46"; 
     String loginDN = "cn=admin,dc=company,dc=com"; 
     String password = "secret";  
     LDAPConnection conn = new LDAPConnection(); 

     simpleBind1(conn, ldapHost, ldapPort, loginDN, password); 
     SSLBind(ldapVersion, ldapHost, ldapSSLPort, loginDN, password); 
     System.exit(0); 
    } 

    private static void simpleBind1(LDAPConnection conn, String host, 
            int port, String dn, String passwd) { 
     try {  
      System.out.println("Simple bind...");  
      // connect to the server 
      conn.connect(host, port);  
      // authenticate to the server 
      try { 
       conn.bind(LDAPConnection.LDAP_V3, dn, passwd.getBytes("UTF8")); 
      } catch (UnsupportedEncodingException u){ 
       throw new LDAPException("UTF8 Invalid Encoding", 
             LDAPException.LOCAL_ERROR, 
             (String)null, u); 
      } 
      System.out.println((conn.isBound()) ? 
       "\n\tAuthenticated to the server (simple)\n": 
        "\n\tNot authenticated to the server\n"); 
       // disconnect with the server 
      conn.disconnect(); 
     } 
     catch(LDAPException e) { 
      System.out.println("Error: " + e.toString()); 
     } 
     return; 
    } 

    private static void SSLBind(int version, String host, int SSLPort, 
                String dn, String passwd) { 
     // Set the socket factory for this connection only 
     LDAPJSSESecureSocketFactory ssf = new LDAPJSSESecureSocketFactory(); 
     LDAPConnection conn = new LDAPConnection(ssf); 
     try { 
      System.out.println("SSL bind..."); 
      // connect to the server 
      conn.connect(host, SSLPort); 
      // authenticate to the server with the connection method 
      try { 
       conn.bind(version, dn, passwd.getBytes("UTF8")); 
      } catch (UnsupportedEncodingException u){ 
       throw new LDAPException("UTF8 Invalid Encoding", 
             LDAPException.LOCAL_ERROR, 
             (String)null, u); 
      } 
      System.out.println((conn.isBound()) ? 
       "\n\tAuthenticated to the server (ssl)\n": 
        "\n\tNot authenticated to the server\n"); 
      // disconnect with the server 
      conn.disconnect(); 
     } 
     catch(LDAPException e) { 
      System.out.println("Error: " + e.toString()); 
     } 
     return; 
    } 
} 

simpleBind1工作正常，但SSLBind不是和我有這個錯誤：

I/O Exception on host 192.168.1.46, port 636 (91) Connect Error 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 

Answer 1

您需要將服務器證書添加到Java的密鑰庫中，因爲我假定它是自簽名的。

可以使用

openssl s_client -connect [hostname]:[port e.g. 443] </dev/null> /tmp/lb.cert

拿到證書然後將證書添加到您的密鑰庫

keytool -importcert -keystore [keystore location, varies, but can be e.g. /etc/pki/java/cacerts] -storepass changeit -file /tmp/lb.cert -alias newSelfSignedKey -noprompt