I am new in ldap enviromnet and I am trying to set up the apache fortress with symas openldap (https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md)
When I set up with ldap, all the integration tests pass succesfully but when I set the ldaps it throws an handshake error.
Does someone now where I have to set all the client and server certificates because setting up as the repository README, it is not possible.
Fixed:
Following the below answer of the creator of that project, I got the proper set up with LDAPS.
Next Problem:
But now I get an error when I run the 3rd step of Apache Fortress Rest Set Up:
mvn clean install -Dload.file=./src/main/resources/FortressRestServerPolicy.xml tomcat:deploy
error output:
[ERROR] Failed to execute goal org.codehaus.mojo:tomcat-maven-plugin:1.0-beta-1:deploy (default-cli) on project fortress-rest: Cannot invoke Tomcat manager: Error writing to server -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.codehaus.mojo:tomcat-maven-plugin:1.0-beta-1:deploy (default-cli) on project fortress-rest: Cannot invoke Tomcat manager
Caused by: org.apache.maven.plugin.MojoExecutionException: Cannot invoke Tomcat manager
Caused by: java.io.IOException: Error writing to server
I set up in tomcat the roles and users manager-gui (which I am able to access through http and https, hostname/manager/html) and manager-script
Changing tomcat maven plugin in pom.xml, I could deploy:
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
but after I get that error...
FAIL - Deployed application at context path [/fortress-rest] but context failed to start
Any ideas what it could be?
Using TLS or LDAPS for the connection to the LDAP server does not require a client-side certificate. You will need to create a server-side cert for the LDAP host, and add that to the OpenLDAP configuration. You also must add that server's CA certificate to the Java truststore on the client-side, i.e. the fortress runtime.
For a tutorial on how to accomplish this, checkout the Apache Fortress Demo. (Note that I am the author of this demo.)
This tutorial's scope goes beyond just creating and using certificates. The specific steps you're going to be interested in are:
http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/keys.html
http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/hosts.html
http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/openldap-ssl.html
http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/apache-fortress-core-ssl.html
Related
When trying to build kudu in my ec2, I got an error "HTTP/1.1 403 Forbidden". My connection was opened through a proxy. The domain that we are trying to connect to here is "service .gradle.org". This can be accessed through HTTPS. Here the build is run using the gradle wrapper jar (v6.8.3). Here, a 403 Forbidden error of the above type kept appearing. It lookes like the connection is trying to use HTTP instead of HTTPS.
This problem is not occurring when the build is run in an environment without a proxy
Build fail image
When I run any maven command with specified http and https proxy address and port as below:
mvn <command> -Dhttps.proxyHost=<MY.PROXY.HOST.ADDRESS> -Dhttps.proxyPort=<MY_PROXY_PORT> -Dhttp.proxyHost...
It's running without any error.
I want to set those configurations as default for my STS network connections and select the manual Active Provider (see attached screenshot for my configurations),
I think it's not related to the STS versions because I faced the same problem with 3.8 and 4.6 version. Anyway, Here is my STS version
Now, when I try the same maven command without proxy and port arguments, the maven command fails due to a network connection error.
[ERROR] unable to read java.net.ConnectException: Connection timed out
I've a sonarqube MS BUILD scanner that is not able to connect to a sonarqube server:
C:\ws\develop>SonarQube.Scanner.MSBuild.exe begin /k:aaaa /n:bbb /v:4.0.0.13063 /d:sonar.host.url=https://sonarqube.aaa.bbb /d:sonar.login=****** /d:sonar.cs.nunit.reportsPaths=TestResult.xml /d:sonar.cs.dotcover.reportsPaths=dotcover.html
WARNING: ------------------------------------------------------------------------
This executable is deprecated and may be removed in next major version of the SonarScanner for MSBuild. Please use 'SonarScanner.MSBuild.exe' instead.
------------------------------------------------------------------------
SonarScanner for MSBuild 4.4.2
Using the .NET Framework version of the Scanner for MSBuild
Default properties file was found at C:\Tools\SonarQubeScanner\SonarQube.Analysis.xml
Loading analysis properties from C:\Tools\SonarQubeScanner\SonarQube.Analysis.xml
Pre-processing started.
Preparing working directories...
14:40:23.762 Updating build integration targets...
14:40:23.774 Fetching analysis configuration settings...
14:40:23.855 Failed to request and parse 'https://sonarqube.aaa.bbb/api/server/version': The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
14:40:23.856 A server certificate could not be validated. Possible cause: you are using a self-signed SSL certificate but the certificate has not been installed on the client machine. Please make sure that you can access https://sonarqube.aaa.bbb without encountering certificate errors.
14:40:23.857 Pre-processing failed. Exit code: 1
script returned exit code 1
Is there a way to disable this SSL check? The certificate will not be valid(it's valid on our domain, but this agent is not in the domain due to the IT policy)
I am trying out Lagom from Lightbend, using the my-first-system template from the GettingStarted page.
I am on Windows 10, and behind a corporate proxy.
Activator fails to download some dependencies due to missing credentials for the proxy. I have set the HTTP_PROXY environment variable.
The following error is reported by activator:
[info] Updating {file:/E:/Projects/LagomHelloWorld/my-first-system/project/}my-first-system-build...
[info] Resolving com.lightbend.lagom#lagom-sbt-plugin;1.0.0 ...
[error] Server access Error: Connection timed out: connect url=https://repo.typesafe.com/typesafe/ivy-releases/com.lightbend.lagom/lagom-sbt-plugin/scala_2.10/sbt_0.13/1.0.0/ivys/ivy.xml
[error] Server access Error: Connection timed out: connect url=https://repo.scala-sbt.org/scalasbt/sbt-plugin-releases/com.lightbend.lagom/lagom-sbt-plugin/scala_2.10/sbt_0.13/1.0.0/ivys/ivy.xml
[error] Server access Error: Connection timed out: connect url=https://repo1.maven.org/maven2/com/lightbend/lagom/lagom-sbt-plugin_2.10_0.13/1.0.0/lagom-sbt-plugin-1.0.0.pom
[error] Unable to find credentials for [ # <proxy-ipv4-addr> ].
[warn] module not found: com.lightbend.lagom#lagom-sbt-plugin;1.0.0
Note: The error message contains the actual IPv4 address, not the substitute I show above.
Where should I specify the user id and password for the proxy?
How can I do that in a secure way?
Activator should check for system properties, in your case
#-Dhttp.proxyUser=PUT YOUR PROXY USER HERE
#-Dhttp.proxyPassword=PUT YOUR PROXY PASSWORD HERE
in a file ~/.activator/activatorconfig.txt.
This is described in detail in the FAQ section on https://www.lightbend.com/activator/docs
Scroll down to the section "Behind a Proxy".
Firefox v39 will no longer connect to my web application over HTTPS. I'm using Spring Boot with embedded Tomcat and I've made sure I'm using the latest version of Boot (v1.2.5). Firefox shows the following error message:
Secure Connection Failed
An error occurred during a connection to [website]. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
I understand this is to protect against a known vulnerability called Logjam. A solution for Tomcat is provided at weakdh.org.
Spring Boot passes SSL configuration to Tomcat via application.properties and as such I have added server.ssl.ciphers to my application.properties as follows:
server.port=443
server.ssl.key-store=/home/ec2-user/boot.p12
server.ssl.key-store-password=...
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=...
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA
After restarting boot, I notice the following in my log file:
WARN 2674 [main] --- o.a.t.util.net.jsse.JSSESocketFactory : None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ...
Additionally, connecting using Firefox fails with the following message:
Secure Connection Failed
The connection to [website] was interrupted while the page was loading.
And I see the following in my log file:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Unfortunately I'm no encryption expert. Can anyone suggest how to fix this? Do I need to recreate my HTTPS certificate?
The solution was to upgrade server Java on the server from 1.7 to 1.8.
sudo yum remove java-1.7.0-openjdk
sudo yum install java-1.8.0
After this was complete, no other configuration was necessary. Not even modyfing Tomcat as per the advice at weakdh.org.