| Author |
Topic: StartTLS - Code Example: Implicit Assertion of Client's Authorization Identity |
|
authen
member
offline  |
| |
| posts: |
36 |
| joined: |
08/07/2006 |
| from: |
San Diego, CA |
|
|
 |
|
|
| StartTLS - Code Example: Implicit Assertion of Client's Authorization Identity |
/**
* A code example to demonstrate how StartTLS works with SASL EXTERNAL
* Note: This example has been tested to work with Active Directory 2003
*/
import java.util.*;
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
public class StartTSLJndiClient
{
public static void main (String[] args)
{
// To specify the trustStore, if any other than the default one:
// %JAVA_HOME%\lib\security\certs
System.setProperty("javax.net.ssl.trustStore", "myTrustStore");
System.setProperty("javax.net.ssl.trustStorePassword", "password"); // optional
// To spcify client's keyStore where client's certificate is located
// Note: Client's keyStore is optional for StartTLS negotiation and connection.
// But it is required for implicit client indendity assertion
// by SASL EXTERNAL where client ID is extracted from certificate subject.
System.setProperty("javax.net.ssl.keyStore", "myKey.pfx");
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
Hashtable env = new Hashtable(5, 0.75f);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://myServerInDnsFullName:389");
try{
/* Establish LDAP association */
LdapContext ctx = new InitialLdapContext(env, null);
/* Requesting to start TLS on an LDAP association */
ExtendedRequest tlsRequest = new StartTlsRequest();
ExtendedResponse tlsResponse = ctx.extendedOperation(tlsRequest);
/* Starting TLS */
StartTlsResponse tls = (StartTlsResponse)tlsResponse;
tls.negotiate();
// A TLS/SSL secure channel has been established if you reach here.
/* Assertion of client's authorization Identity -- Implicit way */
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "EXTERNAL");
Attributes result = ctx.getAttributes("uid=jdoe,cn=vip,dc=domain,dc=com");
System.out.println(result);
tls.close();
// The TLS/SSL secure layer has been closed and all traffic down the road
// will be in clear text.
/* other LDAP operations may go here */
/* ... */
ctx.close();
}catch(Exception e){
e.printStackTrace();
System.exit(-1);
}
}
}
|
|
|
|
|
|
|
authen
member
offline  |
| |
| posts: |
36 |
| joined: |
08/07/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| SunCertPathBuilderException: unable to find valid certification path to requested target |
If you do not have the correct trust store to verify server's certificate,
System.setProperty("javax.net.ssl.trustStore", "myTrustStore");
you would get somethings like this:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1522)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:180)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:861)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:111)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:509)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:447)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1034)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1061)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:344)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:208)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
36 |
| joined: |
08/07/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| CertificateException: No subject alternative DNS name found |
In order to prevent man-in-the-middle attacks, the client MUST use the server hostname as expressed in the server's certificate, which is also referred to subject and is, most likely, in form of full NDS name.
env.put(Context.PROVIDER_URL, "ldap://myServerInDnsFullName:389");
Otherwise, you would get somethings like this:
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'myServer' does not match the hostname in the server's certificate.
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
at com.rli.slapd.client.ExternalTSLJndiClient.main(ExternalTSLJndiClient.java:122)
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myServe found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
... 3 more
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
36 |
| joined: |
08/07/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| AuthenticationException: The server did not receive any credentials via TLS |
An implicit authorization identity assertion is accomplished after TLS establishment by invoking a Bind request of the SASL form using the "EXTERNAL" mechanism. The server will derive the client's authorization identity from the authentication identity supplied in the client's certificate. In that sense, the client's certificate setting as shown below is the MUST for "EXTERNAL" implicit assertion to work.
System.setProperty("javax.net.ssl.keyStore", "myKey.pfx");
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
Otherwise, you would get somethings like this:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]; remaining name 'uid=jdoe,cn=vip,dc=domain,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2566)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2540)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1905)
at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1897)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1290)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:118)
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 07/03/2007 07:08:32 PM
Edit
Quote
Report
Profile
Reply