How to configure LDAP with TSL

Carsten Lempert shared this question 1 year ago
Answered

Hi I try to configure ldap with TLS. But it doesn't work.


There is an failure:

/z+hHeHTJtRyAQAAAABJRU5ErkJggg==

So how can I configure TLS.

Comments (14)

photo
1

Hello Carsten,

Thanks for reaching out with your question. For our English clients, the following depicts the error message:

d0a6d8c7d72813a0ae58809804f6fe89

This message indicates that a Java Property Trust Store hasn't been initialized for Tomcat. This store allows you to save public certificates in order to allow Tomcat to trust self-signed certs, and other Certificate Authorities. Luckily, it's fairly easy to set this property and create a truststore if you don't have one already. The process will be a bit dependent on your environment.

Linux

If Yellowfin is installed into Linux, this is a pretty quick and painless process.

First we'll create the trust store file.


mkdir <YellowfinInstall>/certificates && touch <YellowfinInstall>/certificates/truststore.ks

Where <YellowfinInstall> is the root of your Yellowfin installation.

Next we need to declare this through JAVA_OPTS. To do so, create a setenv.sh file within <YellowfinInstall>/appserver/bin with the following contents:


JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$CATALINA_HOME/certificates/truststore.ks -Djavax.net.ssl.trustStorePassword=changeit -server"
export JAVA_OPTS

This adds the trust store path as a valid Trust Store to Tomcat. You'll need to restart Yellowfin for this to take effect.

If you need to import the public key of a self-signed cert, you may need to Export this from your CA and use a command such as the following to import it into your truststore:


keytool -import -file "/path/to/your/cacert" -alias ldaps -keystore "certificates/truststore.ks"
Windows

If running Yellowfin from windows, use the same process but create a setenv.bat file instead.

Windows Service

Navigate to your <YellowfinInstall>/appserver/bin folder. Type cmd in the address bar to open a Command Prompt there. Type:


tomcatXw.exe //ES//Yellowfin

where X = your tomcat version. This will be shown in the bin folder if you're unsure. This opens the service properties of the Yellowfin service. On the Java tab, add the following Java Options:


-Djavax.net.ssl.trustStore=$CATALINA_HOME/certificates/truststore.ks 
-Djavax.net.ssl.trustStorePassword=changeit 

ce57039541e8c9a5aa70d11fd14df3b5

Restart your Yellowfin service.

Let me know if this resolves your issue.

Thanks,

Ryan

photo
1

Hi I have done that. But it doesn't work. I see a failure in yellowfin-stderr.2017-11-10.log


10-Nov-2017 14:33:17.809 WARNING [main] org.apache.tomcat.util.net.SSLHostConfig.getTruststore The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation. java.security.UnrecoverableKeyException: Password verification failed

photo
1

Hi Carsten,

Thanks for the reply. Let's try deleting your trust store and starting fresh with your public certificate in a new command:

keytool -import -file "/path/to/your/cacert" -alias ldaps -keystore "certificates/truststore.ks"

Ensure that the cert you are importing is your public ca and not your private.

I've edited my original response to reflect the above command.

Thanks,

Ryan

photo
1

Hi Carsten,

Sorry for the double post here. If you're unsure as to how to export the required file, perform the following from the DC or CA hosting the Cert:

1. Start > Run > mmc.exe, File > Add/Remove Snap-in, Choose Certificates, Computer Account, Local Computer, Finish. (Certificate Authority Role must be installed on this DC)

2. Expand “Trusted Root Certification Authorities > Certificates”, right-click on DC certificate, mylab-DC-CA > All Tasks > Export, “Base-64 encoded x.609 (.CER)”. Save as “dc-mylab-local.cer”

These steps were taken from here.

Thanks,

Ryan

photo
1

Hi Ryan,

sorry for my late response. I'm very busy at the Moment. So it may take a while.

Greetings

photo
1

Hi Carsten,

Thanks for the update. I'll leave this open for a time and check back for your results. I look forward to your reply.

Thanks,

Ryan

photo
1

Hi,

so I added a new truststore:

-Djavax.net.ssl.trustStore=E:\Programme\Yellowfin\appserver\conf\truststore.ks-Djavax.net.ssl.trustStorePassword=changeit

So now the Connection test said, that it could not connect to the Server or port. So I send it to our Administrators.

photo
1

Hi Carsten,

Thanks for the reply. I'll leave this open and check back after some time.

Thanks,

Ryan

photo
1

Hi Carsten,

I wanted to check in on this and see if you've managed to accomplish this task.

Thanks,

Ryan

photo
1

Hi,

not yet...I'm waiting on Response from our Administrators.

photo
1

Hi Carsten,

Thanks for the update. I look forward to your results.

- Ryan

photo
1

Hi Carsten,

I haven't heard back on this for some time. I wanted to see how things were going. If I don't hear back, I'll presume the information herein has helped you accomplish this task and mark this as Answered.

Thanks,

Ryan

photo
1

Hi Ryan,

our Administrator is very busy at the Moment. I think we can Close this issue. We must look internally why it doesn't work.

Thanks for your patience ;)

photo
1

Hi Carsten,

Thanks for the update. I'll go ahead and mark this as Answered in regards to this reply.

Thanks,

Ryan