qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keith Wall (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (QPID-7160) No X509TrustManager implementation available when using truststore captured by SiteSpecificTrustStore
Date Sun, 03 Apr 2016 16:41:25 GMT

     [ https://issues.apache.org/jira/browse/QPID-7160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Keith Wall updated QPID-7160:
-----------------------------
    Status: Reviewable  (was: In Progress)

> No X509TrustManager implementation available when using truststore captured by SiteSpecificTrustStore
> -----------------------------------------------------------------------------------------------------
>
>                 Key: QPID-7160
>                 URL: https://issues.apache.org/jira/browse/QPID-7160
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: qpid-java-6.0, qpid-java-6.0.1
>            Reporter: Keith Wall
>            Assignee: Keith Wall
>            Priority: Minor
>             Fix For: qpid-java-6.1
>
>
> I am testing the Java Broker with ApacheDS as an authentication provider. I find secure
connections to the Directory secured with a self signed certificate fail if the truststore
was captured using {{SiteSpecificTrustStore}}.  If I upload the truststore as a PEM, the exception
does not occur.
> Keystore for ApacheDS was generated like so:
> {{keytool -genkey -keyalg RSA -alias selfsigned -keystore apacheds.jks -storepass password
-validity 360 -keysize 2048}}
> Truststore captured by pointing SiteSpecificTrustStore at https://localhost:10636
> Alternative approach (that works), export the PEM from the ApacheDS UI, then import into
Java Broker as NonJavaTrustStore.
> {noformat}
> 2016-03-23 22:49:14,464 WARN  [HttpManagement-myhttps-150] (o.a.q.s.s.a.m.SimpleLDAPAuthenticationManagerImpl)
- SASL Authentication Exception
> javax.naming.CommunicationException: simple bind failed: Oslo.local:10636
> 	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) ~[na:1.8.0_45]
> 	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) ~[na:1.8.0_45]
> 	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[na:1.8.0_45]
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[na:1.8.0_45]
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[na:1.8.0_45]
> 	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[na:1.8.0_45]
> 	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[na:1.8.0_45]
> 	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[na:1.8.0_45]
> 	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[na:1.8.0_45]
> 	at javax.naming.InitialContext.init(InitialContext.java:244) ~[na:1.8.0_45]
> 	at javax.naming.InitialContext.<init>(InitialContext.java:216) ~[na:1.8.0_45]
> 	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
~[na:1.8.0_45]
> 	at org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.createInitialDirContext(SimpleLDAPAuthenticationManagerImpl.java:344)
~[classes/:na]
> 	at org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.getNameFromId(SimpleLDAPAuthenticationManagerImpl.java:491)
~[classes/:na]
> 	at org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.access$100(SimpleLDAPAuthenticationManagerImpl.java:72)
~[classes/:na]
> 	at org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl$SimpleLDAPPlainCallbackHandler.handle(SimpleLDAPAuthenticationManagerImpl.java:448)
~[classes/:na]
> 	at org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:83)
[classes/:na]
> 	at org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.evaluateSaslResponse(SaslServlet.java:217)
[classes/:na]
> 	at org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.doPostWithSubjectAndActor(SaslServlet.java:135)
[classes/:na]
> 	at org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:118)
[classes/:na]
> 	at org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:114)
[classes/:na]
> 	at java.security.AccessController.doPrivileged(Native Method) [na:1.8.0_45]
> 	at javax.security.auth.Subject.doAs(Subject.java:422) [na:1.8.0_45]
> 	at org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doWithSubjectAndActor(AbstractServlet.java:215)
[classes/:na]
> 	at org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doPost(AbstractServlet.java:112)
[classes/:na]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) [geronimo-servlet_3.0_spec-1.0.jar:1.0]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:668) [geronimo-servlet_3.0_spec-1.0.jar:1.0]
> 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1496)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.apache.qpid.server.management.plugin.filter.ForbiddingAuthorisationFilter.doFilter(ForbiddingAuthorisationFilter.java:90)
[classes/:na]
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.apache.qpid.server.management.plugin.filter.ForbiddingTraceFilter.doFilter(ForbiddingTraceFilter.java:65)
[classes/:na]
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.apache.qpid.server.management.plugin.filter.LoggingFilter.doFilter(LoggingFilter.java:70)
[classes/:na]
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter.doFilter(ExceptionHandlingFilter.java:56)
[classes/:na]
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.Server.handle(Server.java:370) [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865) [jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) [jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
[jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) [jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
[jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
[jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
[jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) [jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
> 	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
> Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No X509TrustManager implementation available
> 	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_45]
> 	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) ~[na:1.8.0_45]
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_45]
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_45]
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) ~[na:1.8.0_45]
> 	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) ~[na:1.8.0_45]
> 	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_45]
> 	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_45]
> 	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) ~[na:1.8.0_45]
> 	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) ~[na:1.8.0_45]
> 	at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:916) ~[na:1.8.0_45]
> 	at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[na:1.8.0_45]
> 	at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) ~[na:1.8.0_45]
> 	at java.io.BufferedInputStream.read1(BufferedInputStream.java:286) ~[na:1.8.0_45]
> 	at java.io.BufferedInputStream.read(BufferedInputStream.java:345) ~[na:1.8.0_45]
> 	at com.sun.jndi.ldap.Connection.run(Connection.java:851) ~[na:1.8.0_45]
> 	... 1 common frames omitted
> Caused by: java.security.cert.CertificateException: No X509TrustManager implementation
available
> 	at sun.security.ssl.DummyX509TrustManager.checkServerTrusted(SSLContextImpl.java:1119)
~[na:1.8.0_45]
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) ~[na:1.8.0_45]
> 	... 12 common frames omitted
> {noformat}
> config.json snippet:
> {noformat}
>  "authenticationproviders" : [ {
>     "id" : "fba490fc-3329-4a2d-90db-4add4e050ba3",
>     "name" : "myldap",
>     "type" : "SimpleLDAP",
>     "bindWithoutSearch" : false,
>     "providerAuthUrl" : "ldaps://Oslo.local:10636",
>     "providerUrl" : "ldaps://Oslo.local:10636",
>     "searchContext" : "ou=people,o=sevenSeas",
>     "searchFilter" : "(uid={0})",
>     "searchPassword" : "secret",
>     "searchUsername" : "uid=admin,ou=system ",
>     "trustStore" : "apacheds_sniff",
>     "lastUpdatedBy" : "admin",
>     "lastUpdatedTime" : 1458773319290,
>     "createdBy" : null,
>     "createdTime" : 0
>   }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message