Category
System Configuration
Product Version
7.3
How to configure LDAP with TSL
Answered
Hi I try to configure ldap with TLS. But it doesn't work.
There is an failure:
So how can I configure TLS.
The same question
Hello Carsten,
Thanks for reaching out with your question. For our English clients, the following depicts the error message:
This message indicates that a Java Property Trust Store hasn't been initialized for Tomcat. This store allows you to save public certificates in order to allow Tomcat to trust self-signed certs, and other Certificate Authorities. Luckily, it's fairly easy to set this property and create a truststore if you don't have one already. The process will be a bit dependent on your environment.
Linux
If Yellowfin is installed into Linux, this is a pretty quick and painless process.
First we'll create the trust store file.
Where <YellowfinInstall> is the root of your Yellowfin installation.
Next we need to declare this through JAVA_OPTS. To do so, create a setenv.sh file within <YellowfinInstall>/appserver/bin with the following contents:
This adds the trust store path as a valid Trust Store to Tomcat. You'll need to restart Yellowfin for this to take effect.
If you need to import the public key of a self-signed cert, you may need to Export this from your CA and use a command such as the following to import it into your truststore:
Windows
If running Yellowfin from windows, use the same process but create a setenv.bat file instead.
Windows Service
Navigate to your <YellowfinInstall>/appserver/bin folder. Type cmd in the address bar to open a Command Prompt there. Type:
where X = your tomcat version. This will be shown in the bin folder if you're unsure. This opens the service properties of the Yellowfin service. On the Java tab, add the following Java Options:
Restart your Yellowfin service.
Let me know if this resolves your issue.
Thanks,
Ryan
Hello Carsten,
Thanks for reaching out with your question. For our English clients, the following depicts the error message:
This message indicates that a Java Property Trust Store hasn't been initialized for Tomcat. This store allows you to save public certificates in order to allow Tomcat to trust self-signed certs, and other Certificate Authorities. Luckily, it's fairly easy to set this property and create a truststore if you don't have one already. The process will be a bit dependent on your environment.
Linux
If Yellowfin is installed into Linux, this is a pretty quick and painless process.
First we'll create the trust store file.
Where <YellowfinInstall> is the root of your Yellowfin installation.
Next we need to declare this through JAVA_OPTS. To do so, create a setenv.sh file within <YellowfinInstall>/appserver/bin with the following contents:
This adds the trust store path as a valid Trust Store to Tomcat. You'll need to restart Yellowfin for this to take effect.
If you need to import the public key of a self-signed cert, you may need to Export this from your CA and use a command such as the following to import it into your truststore:
Windows
If running Yellowfin from windows, use the same process but create a setenv.bat file instead.
Windows Service
Navigate to your <YellowfinInstall>/appserver/bin folder. Type cmd in the address bar to open a Command Prompt there. Type:
where X = your tomcat version. This will be shown in the bin folder if you're unsure. This opens the service properties of the Yellowfin service. On the Java tab, add the following Java Options:
Restart your Yellowfin service.
Let me know if this resolves your issue.
Thanks,
Ryan
Hi I have done that. But it doesn't work. I see a failure in yellowfin-stderr.2017-11-10.log
10-Nov-2017 14:33:17.809 WARNING [main] org.apache.tomcat.util.net.SSLHostConfig.getTruststore The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation. java.security.UnrecoverableKeyException: Password verification failed
Hi I have done that. But it doesn't work. I see a failure in yellowfin-stderr.2017-11-10.log
10-Nov-2017 14:33:17.809 WARNING [main] org.apache.tomcat.util.net.SSLHostConfig.getTruststore The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation. java.security.UnrecoverableKeyException: Password verification failed
Hi Carsten,
Thanks for the reply. Let's try deleting your trust store and starting fresh with your public certificate in a new command:
Ensure that the cert you are importing is your public ca and not your private.I've edited my original response to reflect the above command.
Thanks,
Ryan
Hi Carsten,
Thanks for the reply. Let's try deleting your trust store and starting fresh with your public certificate in a new command:
Ensure that the cert you are importing is your public ca and not your private.I've edited my original response to reflect the above command.
Thanks,
Ryan
Hi Carsten,
Sorry for the double post here. If you're unsure as to how to export the required file, perform the following from the DC or CA hosting the Cert:
1. Start > Run > mmc.exe, File > Add/Remove Snap-in, Choose Certificates, Computer Account, Local Computer, Finish. (Certificate Authority Role must be installed on this DC)
2. Expand “Trusted Root Certification Authorities > Certificates”, right-click on DC certificate, mylab-DC-CA > All Tasks > Export, “Base-64 encoded x.609 (.CER)”. Save as “dc-mylab-local.cer”
These steps were taken from here.
Thanks,
Ryan
Hi Carsten,
Sorry for the double post here. If you're unsure as to how to export the required file, perform the following from the DC or CA hosting the Cert:
1. Start > Run > mmc.exe, File > Add/Remove Snap-in, Choose Certificates, Computer Account, Local Computer, Finish. (Certificate Authority Role must be installed on this DC)
2. Expand “Trusted Root Certification Authorities > Certificates”, right-click on DC certificate, mylab-DC-CA > All Tasks > Export, “Base-64 encoded x.609 (.CER)”. Save as “dc-mylab-local.cer”
These steps were taken from here.
Thanks,
Ryan
Hi Ryan,
sorry for my late response. I'm very busy at the Moment. So it may take a while.
Greetings
Hi Ryan,
sorry for my late response. I'm very busy at the Moment. So it may take a while.
Greetings
Hi Carsten,
Thanks for the update. I'll leave this open for a time and check back for your results. I look forward to your reply.
Thanks,
Ryan
Hi Carsten,
Thanks for the update. I'll leave this open for a time and check back for your results. I look forward to your reply.
Thanks,
Ryan
Hi,
so I added a new truststore:
-Djavax.net.ssl.trustStore=E:\Programme\Yellowfin\appserver\conf\truststore.ks-Djavax.net.ssl.trustStorePassword=changeit
So now the Connection test said, that it could not connect to the Server or port. So I send it to our Administrators.
Hi,
so I added a new truststore:
-Djavax.net.ssl.trustStore=E:\Programme\Yellowfin\appserver\conf\truststore.ks-Djavax.net.ssl.trustStorePassword=changeit
So now the Connection test said, that it could not connect to the Server or port. So I send it to our Administrators.
Hi Carsten,
Thanks for the reply. I'll leave this open and check back after some time.
Thanks,
Ryan
Hi Carsten,
Thanks for the reply. I'll leave this open and check back after some time.
Thanks,
Ryan
Hi Carsten,
I wanted to check in on this and see if you've managed to accomplish this task.
Thanks,
Ryan
Hi Carsten,
I wanted to check in on this and see if you've managed to accomplish this task.
Thanks,
Ryan
Hi,
not yet...I'm waiting on Response from our Administrators.
Hi,
not yet...I'm waiting on Response from our Administrators.
Hi Carsten,
Thanks for the update. I look forward to your results.
- Ryan
Hi Carsten,
Thanks for the update. I look forward to your results.
- Ryan
Hi Carsten,
I haven't heard back on this for some time. I wanted to see how things were going. If I don't hear back, I'll presume the information herein has helped you accomplish this task and mark this as Answered.
Thanks,
Ryan
Hi Carsten,
I haven't heard back on this for some time. I wanted to see how things were going. If I don't hear back, I'll presume the information herein has helped you accomplish this task and mark this as Answered.
Thanks,
Ryan
Hi Ryan,
our Administrator is very busy at the Moment. I think we can Close this issue. We must look internally why it doesn't work.
Thanks for your patience ;)
Hi Ryan,
our Administrator is very busy at the Moment. I think we can Close this issue. We must look internally why it doesn't work.
Thanks for your patience ;)
Hi Carsten,
Thanks for the update. I'll go ahead and mark this as Answered in regards to this reply.
Thanks,
Ryan
Hi Carsten,
Thanks for the update. I'll go ahead and mark this as Answered in regards to this reply.
Thanks,
Ryan
Hello, as we are running in exactly the same issue (not able to connect to host and port) I would really like to hear from Carsten if he got this fixed?
We already spend the better part of a day on that issue but are unable to get it working.
Jeroen
Hello, as we are running in exactly the same issue (not able to connect to host and port) I would really like to hear from Carsten if he got this fixed?
We already spend the better part of a day on that issue but are unable to get it working.
Jeroen
Hi JeRoen,
Thanks for reaching out with your issue. Please don't hesitate to submit a private ticket with all of the relevant details of what you've tried so far so that someone with our Support Team can assist. I'm happy to facilitate logging this on your behalf.
It's unclear from the post here whether Carsten did solve his issue. Subscribing to this post will ensure you do not miss any updates from him should he receive this correspondence.
Thanks,
Ryan
Hi JeRoen,
Thanks for reaching out with your issue. Please don't hesitate to submit a private ticket with all of the relevant details of what you've tried so far so that someone with our Support Team can assist. I'm happy to facilitate logging this on your behalf.
It's unclear from the post here whether Carsten did solve his issue. Subscribing to this post will ensure you do not miss any updates from him should he receive this correspondence.
Thanks,
Ryan
Hi add all,
so we don't use TLS. We switched on SSL. That works.
We also use in tomcat config the entry "-Djavax.net.ssl.trustStore=E:\Programme\Yellowfin\appserver\conf\truststore.ks". In this Keystore we added the root and sub certificate from our company. The Keystore is without an Password.
We also don't configure our active directory for authentification. We use now open ldaps. That works correctly.
Hi add all,
so we don't use TLS. We switched on SSL. That works.
We also use in tomcat config the entry "-Djavax.net.ssl.trustStore=E:\Programme\Yellowfin\appserver\conf\truststore.ks". In this Keystore we added the root and sub certificate from our company. The Keystore is without an Password.
We also don't configure our active directory for authentification. We use now open ldaps. That works correctly.
Hello Carsten,
Thanks for the feedback. I will make sure to inform our administrators about your configuration. That might help.
JeRoen
Hello Carsten,
Thanks for the feedback. I will make sure to inform our administrators about your configuration. That might help.
JeRoen
Thanks for the update Carsten.
JeRoen, please don't hesitate to let us know if you have further issues.
Regards,
Ryan
Thanks for the update Carsten.
JeRoen, please don't hesitate to let us know if you have further issues.
Regards,
Ryan
Hi Ryan,
I've the same problem as Carsten and I took a YF-ticket with number 17902.
Best regards...Karl-Josef
Hi Ryan,
I've the same problem as Carsten and I took a YF-ticket with number 17902.
Best regards...Karl-Josef
Hi Karl,
Thank you for considering this thread when submitting your ticket. I have been collaborating with your assign Support Agent and will be assisting in your case.
Regards,
Ryan
Hi Karl,
Thank you for considering this thread when submitting your ticket. I have been collaborating with your assign Support Agent and will be assisting in your case.
Regards,
Ryan
Replies have been locked on this page!