| Author |
Topic: StartTLS - Code Example: Explicit Assertion of Client's Authorization Identity |
|
authen
member
offline  |
| |
| posts: |
36 |
| joined: |
08/07/2006 |
| from: |
San Diego, CA |
|
|
 |
|
|
| StartTLS - Code Example: Explicit Assertion of Client's Authorization Identity |
/**
* A code example to demonstrate how StartTLS works
* Note: This example has been tested to work with Active Directory 2003
*/
import java.util.*;
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
public class StartTSLJndiClient
{
public static void main (String[] args)
{
// To specify the trustStore, if any other than the default one:
// %JAVA_HOME%\lib\security\certs
System.setProperty("javax.net.ssl.trustStore", "myTrustStore");
System.setProperty("javax.net.ssl.trustStorePassword", "password"); // optional
// To spcify client's keyStore where client's certificate is located
// Note: Client's keyStore is optional for StartTLS negotiation and connection.
// But it is required for implicit client indendity assertion
// by SASL EXTERNAL where client ID is extracted from certificate subject.
System.setProperty("javax.net.ssl.keyStore", "myKey.pfx");
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
Hashtable env = new Hashtable(5, 0.75f);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://myServerInDnsFullName:389");
try{
/* Establish LDAP association */
LdapContext ctx = new InitialLdapContext(env, null);
/* Requesting to start TLS on an LDAP association */
ExtendedRequest tlsRequest = new StartTlsRequest();
ExtendedResponse tlsResponse = ctx.extendedOperation(tlsRequest);
/* Starting TLS */
StartTlsResponse tls = (StartTlsResponse)tlsResponse;
tls.negotiate();
// A TLS/SSL secure channel has been established if you reach here.
/* Assertion of client's authorization Identity -- Explicit way */
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "testUser@myDomain");
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, "password");
Attributes result = ctx.getAttributes("uid=jdoe,cn=vip,dc=domain,dc=com");
System.out.println(result);
tls.close();
// The TLS/SSL secure layer has been closed and all traffic down the road
// will be in clear text.
/* other LDAP operations may go here */
/* ... */
ctx.close();
}catch(Exception e){
e.printStackTrace();
System.exit(-1);
}
}
}
|
|
|
|
|
|
|
authen
member
offline  |
| |
| posts: |
36 |
| joined: |
08/07/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| SunCertPathBuilderException: unable to find valid certification path to requested target |
If you do not have the correct trust store to verify server's certificate,
System.setProperty("javax.net.ssl.trustStore", "myTrustStore");
you would get somethings like this:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1522)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:180)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:861)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:111)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:509)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:447)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1034)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1061)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:344)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:208)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
36 |
| joined: |
08/07/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| CertificateException: No subject alternative DNS name found |
In order to prevent man-in-the-middle attacks, the client MUST use the server hostname as expressed in the server's certificate, which is also referred to subject and is, most likely, in form of full NDS name.
env.put(Context.PROVIDER_URL, "ldap://myServerInDnsFullName:389");
Otherwise, you would get somethings like this:
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'myServer' does not match the hostname in the server's certificate.
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
at com.rli.slapd.client.ExternalTSLJndiClient.main(ExternalTSLJndiClient.java:122)
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myServe found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
... 3 more
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 07/03/2007 06:28:27 PM
Edit
Quote
Report
Profile
Reply