Jamf Nation Community

wstewart3 · ‎09-20-2013

I have read over
https://jamfnation.jamfsoftware.com/article.html?id=121

But this article does not apply for a Windows Server 2008R2 deployment. Firstly I have tested LDAP using ports 389 and 3268 which works fine. After enable SSL and changing the ports to 636 and 3269 the test fails saying

Error: javax.naming.CommunicationException: x.x.x.x:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] Suggestion: Ensure you can connect to x.x.x.x on port 636

Originally I assumed that the Microsoft certificate authority should handle any of the SSL certs for LDAPS, but after reading some Java related posts that does not seem like the case.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/fa6db195-699a-4e32-b442-8ff6ef716fad/certificates-in-windows-need-help

which someone replies

Java has its own trusted keystore and you need to either add the server certificate or the CA certificate to the trusted keystore in your application

Which would tell me that JSS should have a config file or an import feature somewhere OR I need to import it into java somehow.

I also noticed there was a keytool application in the JDK folder which has an importcert option. This is probably my next guess to getting this to work. I was hoping someone else had some advice or knew the next step.

I do appreciate you time

bentoms · ‎09-20-2013

Is the SSL cert signed by an internal CA?

You need to create a new keystore like:

keytool -certreq -keystore "<keystore full path>" -keyalg RSA -file certreq.csr -alias <alias name>

Make a note of the password.

Download the signing CA cert locally & import into the keystore like:

keytool -import -keystore "<keystore full path>"  -alias rootca -trustcacerts –file "<CA Cert loaction>"

i could be wrong! so test test test!!

View solution in original post

wstewart3 · ‎10-01-2013

Alrighty! Sorry for the delay but we have LDAPS working in our windows environment. And everyone was very close, if not absolutely correct.

On our Windows Server 2008 R2, we have two folders, a JRE and JDK installations, both having the keytool.exe programs in their BIN folders. Many of the guides online to adding Certificate files to your java cacert key store say to use %JAVA_HOME% for your directory, but this used the JDK and not the JRE folders.

Additionally the default CACERT keystore has a password which should be "changeit" in windows.

Here is the command we ended up running.

"C:Program FilesJavajre7inkeytool" -import -trustcacerts -alias ittl -keystore "C:Program FilesJavajre7libsecuritycacerts" -file "C:Program FilesJavajre7libsecuritycert.crt"

In an elevated command prompt.

After which, restarting apache in Control Panel -> Administrator Tools -> Services The website instantly took the certificate and LDAPS started working on ports 636 and 3269!

View solution in original post

alexjdale · ‎09-20-2013

I wish I had the full answer for you, but you are on the right track with Java. We fumbled with this for a while when we moved to 2008 R2 and secure LDAP earlier this year.

I believe we did have to use the keytool to import the certificate and had to be sure to run it as administrator for it to import properly. My contractor who did most of the work is no longer around so I can't provide more details, sorry!

bentoms · ‎09-20-2013

Is the SSL cert signed by an internal CA?

You need to create a new keystore like:

keytool -certreq -keystore "<keystore full path>" -keyalg RSA -file certreq.csr -alias <alias name>

Make a note of the password.

Download the signing CA cert locally & import into the keystore like:

keytool -import -keystore "<keystore full path>"  -alias rootca -trustcacerts –file "<CA Cert loaction>"

i could be wrong! so test test test!!

bentoms · ‎09-20-2013

NOTE: I use the above to import our root CA on a w2k8 server's java instance for extensis portfolio.

wstewart3 · ‎09-23-2013

Thanks for the response. Hopefully it will get us one step closer!

But when I run

keytool -certreq -keystore "<keystore full path>" -keyalg RSA -file certreq.csr -alias <alias name>

It tells me that "The keystore file does not exist" (Since I thought this should be making a new one I tried to make it something new)
Alternatively, if I use an existing file (Called cacert) and a new allias, it tells me that the alias has no key, even though I have uploaded the .cer file to it using keytool already.

Any ideas?
Thanks!

wstewart3 · ‎10-01-2013

Alrighty! Sorry for the delay but we have LDAPS working in our windows environment. And everyone was very close, if not absolutely correct.

On our Windows Server 2008 R2, we have two folders, a JRE and JDK installations, both having the keytool.exe programs in their BIN folders. Many of the guides online to adding Certificate files to your java cacert key store say to use %JAVA_HOME% for your directory, but this used the JDK and not the JRE folders.

Additionally the default CACERT keystore has a password which should be "changeit" in windows.

Here is the command we ended up running.

"C:Program FilesJavajre7inkeytool" -import -trustcacerts -alias ittl -keystore "C:Program FilesJavajre7libsecuritycacerts" -file "C:Program FilesJavajre7libsecuritycert.crt"

In an elevated command prompt.

After which, restarting apache in Control Panel -> Administrator Tools -> Services The website instantly took the certificate and LDAPS started working on ports 636 and 3269!

tfahmy · ‎11-04-2013

Thanks for the explanation, wstewart3. This is exactly what I needed to do also. I was initially using the "cacerts" keystore file inside the bin folder, instead of the libsecurity folder. Thanks for posting your solution!

mkremic · ‎10-25-2015

For anyone else trying to get LDAPS working I FINALLY succeeded today, after many failed attempts.

Just in case it's helpful for someone else - here's what worked for me:

1) Stumbled on this site through googling and JAMF Nation trawling. In it was a very valuable link about setting up LDAP over SSL

2) followed the LDAP over SSL link to create a new certificate template (I called mine "Casper Kerberos Authentication" for simplicity)... followed all the first steps from start to finish on my CA, and then on my AD server for the heading Requesting a Certificate for Server Authentication. We have several AD servers in our environment but only use one for Casper AD auth.

3) On the AD server with the mmc certificate snap-in loaded as local computer, I exported the newly enrolled "Casper Kerberos Authentication" certificate as a base64 .cer and copied over to our casper server.

4) @wstewart3's comment of importing the certificate into the JRE cert store worked a treat - specifically: "C:Program FilesJavajre7inkeytool" -import -trustcacerts -alias ittl -keystore "C:Program FilesJavajre7libsecuritycacerts" -file "C:path oyour ewcert.cer"

5) Restarted tomcat service on the server and voila was able to authenticate with LDAPS when I did a test.

If like me you had to do a lot of troubleshooting and didn't get the certificate right the first time, you might need to remove it from the Java certificate store before importing another one. The command to do this was:

"C:Program FilesJavajre7inkeytool" -delete -alias ittl -keystore "C:Program FilesJavajre7libsecuritycacerts" -storepass changeit - assuming your password is still "changeit"

Hopefully this might help someone out! Thanks for all the previous comments that helped me get this far!

Jamf Nation Community

LDAPS with AD and JSS running on Windows Server 2008R2