Search code examples
javasslopensslopenldapkeytool

Java code Not able to connect with secure openldap?

I created a Certificate for OpenLdap with following command

openssl req -new -x509 -nodes -out /etc/openldap/certs/ldap.crt -keyout /etc/openldap/certs/ldap.key -days 1460

Did rest of settings and i am able to connect Openldap via Apache Directory Studio with Port 636.

Now Challenge is that i wrote a Simple Java Program to connect with Openldap and do some basic operation like Create user/Create Group/Delete etc.Before that i import the certificate in local machine Java Keystore via keytool command

keytool -import -noprompt -trustcacerts -alias "ldap1" -file ldap.crt -keystore "C:\Program Files\Java\jdk1.8.0_221\jre\lib\security\cacerts"

It Successfully added

Now in C:\Windows\System32\drivers\etc\hosts file made a entry for <IP-ADDRESS> HOSTNAME but Java program throwing error 

javax.naming.CommunicationException: simple bind failed: surerest2:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
        at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
        at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
        at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
        at javax.naming.InitialContext.init(Unknown Source)
        at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
        at com.asiainfo.bdx.ocdp.LdapClient.initLDAPContext(LdapClient.java:148)
        at com.asiainfo.bdx.ocdp.LdapClient.createLDAPUser(LdapClient.java:30)
        at com.asiainfo.bdx.ocdp.LdapClientTest.main(LdapClientTest.java:14)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
        at sun.security.ssl.AppInputStream.read(Unknown Source)
        at java.io.BufferedInputStream.fill(Unknown Source)
        at java.io.BufferedInputStream.read1(Unknown Source)
        at java.io.BufferedInputStream.read(Unknown Source)
        at com.sun.jndi.ldap.Connection.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 19 more
Exception in thread "main" java.lang.NullPointerException
        at com.asiainfo.bdx.ocdp.LdapClient.closeLdapContext(LdapClient.java:157)
        at com.asiainfo.bdx.ocdp.LdapClient.createLDAPUser(LdapClient.java:49)
        at com.asiainfo.bdx.ocdp.LdapClientTest.main(LdapClientTest.java:14)
Solution

  • After couple of days struggle issue resolved with the help of InstallCert and it worked perfectly .What i did ?

    1. Download the InstallCert project

    2. Compile the java file javac InstallCert.java

    3. Access the server and try to get Certificate java InstallCert <IP ADDRESS>:<PORT> Give Ip address/Port from where you want to download the server,in my case its Openldap server details.

    4. Extract certificate from created jssecacerts keystore keytool -importcert -alias "1xx.2xx.1xx.97-1" -keystore "C:\Program Files\Java\jre1.8.0_221\lib\security\cacerts" -storepass changeit -file surerest2 here 1xx.2xx.1xx.97-1 this port number and surerest2 is hostname

    5. Import certificate into system keystore keytool -importcert -alias "1xx.2xx.1xx.97-1" -keystore /workspace/tools/jdk/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/lib/security/cacerts -storepass changeit -file surerest2

      And this changes worked perfectly