How to configure LDAP with TSL

Carsten Lempert shared this question 2 years ago
Answered

Hi I try to configure ldap with TLS. But it doesn't work.


There is an failure:

/fc0009b668ada17a0e827eec7b43d2bf

So how can I configure TLS.

Comments (19)

photo
1

Hello Carsten,

Thanks for reaching out with your question. For our English clients, the following depicts the error message:

d0a6d8c7d72813a0ae58809804f6fe89

This message indicates that a Java Property Trust Store hasn't been initialized for Tomcat. This store allows you to save public certificates in order to allow Tomcat to trust self-signed certs, and other Certificate Authorities. Luckily, it's fairly easy to set this property and create a truststore if you don't have one already. The process will be a bit dependent on your environment.

Linux

If Yellowfin is installed into Linux, this is a pretty quick and painless process.

First we'll create the trust store file.


mkdir <YellowfinInstall>/certificates && touch <YellowfinInstall>/certificates/truststore.ks

Where <YellowfinInstall> is the root of your Yellowfin installation.

Next we need to declare this through JAVA_OPTS. To do so, create a setenv.sh file within <YellowfinInstall>/appserver/bin with the following contents:


JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$CATALINA_HOME/certificates/truststore.ks -Djavax.net.ssl.trustStorePassword=changeit -server"
export JAVA_OPTS

This adds the trust store path as a valid Trust Store to Tomcat. You'll need to restart Yellowfin for this to take effect.

If you need to import the public key of a self-signed cert, you may need to Export this from your CA and use a command such as the following to import it into your truststore:


keytool -import -file "/path/to/your/cacert" -alias ldaps -keystore "certificates/truststore.ks"
Windows

If running Yellowfin from windows, use the same process but create a setenv.bat file instead.

Windows Service

Navigate to your <YellowfinInstall>/appserver/bin folder. Type cmd in the address bar to open a Command Prompt there. Type:


tomcatXw.exe //ES//Yellowfin

where X = your tomcat version. This will be shown in the bin folder if you're unsure. This opens the service properties of the Yellowfin service. On the Java tab, add the following Java Options:


-Djavax.net.ssl.trustStore=$CATALINA_HOME/certificates/truststore.ks 
-Djavax.net.ssl.trustStorePassword=changeit 

ce57039541e8c9a5aa70d11fd14df3b5

Restart your Yellowfin service.

Let me know if this resolves your issue.

Thanks,

Ryan

photo
1

Hi I have done that. But it doesn't work. I see a failure in yellowfin-stderr.2017-11-10.log


10-Nov-2017 14:33:17.809 WARNING [main] org.apache.tomcat.util.net.SSLHostConfig.getTruststore The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation. java.security.UnrecoverableKeyException: Password verification failed

photo
1

Hi Carsten,

Thanks for the reply. Let's try deleting your trust store and starting fresh with your public certificate in a new command:

keytool -import -file "/path/to/your/cacert" -alias ldaps -keystore "certificates/truststore.ks"

Ensure that the cert you are importing is your public ca and not your private.

I've edited my original response to reflect the above command.

Thanks,

Ryan

photo
1

Hi Carsten,

Sorry for the double post here. If you're unsure as to how to export the required file, perform the following from the DC or CA hosting the Cert:

1. Start > Run > mmc.exe, File > Add/Remove Snap-in, Choose Certificates, Computer Account, Local Computer, Finish. (Certificate Authority Role must be installed on this DC)

2. Expand “Trusted Root Certification Authorities > Certificates”, right-click on DC certificate, mylab-DC-CA > All Tasks > Export, “Base-64 encoded x.609 (.CER)”. Save as “dc-mylab-local.cer”

These steps were taken from here.

Thanks,

Ryan

photo
1

Hi Ryan,

sorry for my late response. I'm very busy at the Moment. So it may take a while.

Greetings

photo
1

Hi Carsten,

Thanks for the update. I'll leave this open for a time and check back for your results. I look forward to your reply.

Thanks,

Ryan

photo
1

Hi,

so I added a new truststore:

-Djavax.net.ssl.trustStore=E:\Programme\Yellowfin\appserver\conf\truststore.ks-Djavax.net.ssl.trustStorePassword=changeit

So now the Connection test said, that it could not connect to the Server or port. So I send it to our Administrators.

photo
1

Hi Carsten,

Thanks for the reply. I'll leave this open and check back after some time.

Thanks,

Ryan

photo
1

Hi Carsten,

I wanted to check in on this and see if you've managed to accomplish this task.

Thanks,

Ryan

photo
1

Hi,

not yet...I'm waiting on Response from our Administrators.

photo
1

Hi Carsten,

Thanks for the update. I look forward to your results.

- Ryan

photo
1

Hi Carsten,

I haven't heard back on this for some time. I wanted to see how things were going. If I don't hear back, I'll presume the information herein has helped you accomplish this task and mark this as Answered.

Thanks,

Ryan

photo
1

Hi Ryan,

our Administrator is very busy at the Moment. I think we can Close this issue. We must look internally why it doesn't work.

Thanks for your patience ;)

photo
1

Hi Carsten,

Thanks for the update. I'll go ahead and mark this as Answered in regards to this reply.

Thanks,

Ryan

photo
1

Hello, as we are running in exactly the same issue (not able to connect to host and port) I would really like to hear from Carsten if he got this fixed?


We already spend the better part of a day on that issue but are unable to get it working.


Jeroen

photo
1

Hi JeRoen,

Thanks for reaching out with your issue. Please don't hesitate to submit a private ticket with all of the relevant details of what you've tried so far so that someone with our Support Team can assist. I'm happy to facilitate logging this on your behalf.

It's unclear from the post here whether Carsten did solve his issue. Subscribing to this post will ensure you do not miss any updates from him should he receive this correspondence.

Thanks,

Ryan

photo
2

Hi add all,

so we don't use TLS. We switched on SSL. That works.


We also use in tomcat config the entry "-Djavax.net.ssl.trustStore=E:\Programme\Yellowfin\appserver\conf\truststore.ks". In this Keystore we added the root and sub certificate from our company. The Keystore is without an Password.

We also don't configure our active directory for authentification. We use now open ldaps. That works correctly.

photo
1

Hello Carsten,

Thanks for the feedback. I will make sure to inform our administrators about your configuration. That might help.

JeRoen

photo
1

Thanks for the update Carsten.

JeRoen, please don't hesitate to let us know if you have further issues.

Regards,

Ryan