• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

Importing Certificate into JAVA Keystore

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi.

I have an IDM instance setup.

I am currently trying to configure and set-up an LDAP Resource.

During the configuration, I got the error :


"Could not connect to the LDAP server "api.csc.fi". ==> javax.naming.CommunicationException: simple bind failed: api.csc.fi:636"



Upon extensive research (on Tomcat websites, as well as Forums), I got the notion that I needed to import the ldapCertificate into my JAVA Keystore, otherwise it would be impossible for IDM to successfully connect to LDAP.

I am using Apache Tomcat as my application server. I was able to locate several online documents which explained how to import a trusted certificate into the Keystore (unfortunately, these documents seem to give several different solutions to the same problem).

Eventually, I decided to use the following command at my command-prompt :


keytool -importcert -alias abc -file ABCCA.cer (where "abc" is the alias)



The import was successful.


However, I am still getting the same error on my LDAP configuration.

Am I doing something wrong? Is there something ELSE I need to do ?

Any help will be greatly appreciated.


Best regards,

Stephen

 
Greenhorn
Posts: 8
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you certain that it was the correct keystore to the JRE which your tomcat-server uses?
 
Stephen Stone
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, I think it was.

I mean, I followed all the instructions given in the Tomcat Documentation.

Of course, it's possible that I was in the wrong directory (in which case, which directory is the correct one?)


If I imported the Certificate into the wrong place, how would I go about removing it from there, so I can import it into the right place?

Or should I simply go ahead and create my own NEW keystore?

I also noticed just now that, BEFORE importing the Certificate itself, I was supposed to import some kind of TRUST CHAIN certificate,

I have searched everywhere, but can't find any proper instructions for doing this.

Any tips?


Thanks

 
Svein Erik Løvland
Greenhorn
Posts: 8
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
C:\Program Files\Java\jdk1.6.0_15\jre\lib\security\cacerts <-- my/default Java Keystore, I've imported a cert there.

and my $JAVA_HOME is pointing to C:\Program Files\Java\jdk1.6.0_15

If you are deploying to a tomcat instance managed by an IDE for example, you should check which JRE that instance is running in, and import to the correct corresponding keystore.

I don't know if this is best practice, but it worked for me. (System administrators probably know some better way to manage keystores, eg. remove/add/invalidate certs etc.)
 
Stephen Stone
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have just one question: how do I remove (or delete) that certificate that I imported already?

Thanks

 
Stephen Stone
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok, I've been able to delete the Certificate from the keystore

One thing I do not understand though, is this : when I was IMPORTING the certificate, I did not specify any particular KEYSTORE.

I simply used the command : keytool -importcert -alias <alias> -file <certificate name>


As I understand, this is how to import a Certificate from a file.


I assumed that this certificate went into the DEFAULT keystore. (Or didn't it??)

Because, when I was deleting the certificate, I realized that there is ANOTHER location which is the actual keystore itself (denoted by ".keystore" )

Now, I am totally confused. WHERE do I really need to import the Certificate?

And, do I need to first inport a TRUST certificate ?

 
Stephen Stone
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

My JAVA folder has 3 different locations which contain the command "KEYTOOL"

I don't even know which of them is supposed to hold the certificate.

Yesterday, just to be on the safe side, I imported my certificate into ALL 3 locations (under 3 different aliases)

Still did not work.

Then I found yet another command online which says that, it's not enough to import the certificate into keystore. It needs to be imported directly into the CACERT file.

But, it does not say HOW this should be done!!


To make matters even worse, I found yet another "advice" in Tomcat's documentation, saying : before importing the certificate, you need to first import a so-called TRUST CHAIN.

In some places, it says you need this trust chain if the certificate was applied for by yourself.

In some places, it does not mention the trust chain at all, if you already trust the certificate.


So, what exactly is the CORRECT way to do this?

And what is the right command???


is it : keytool -import -file tomcatCert.crt -trustcacerts -alias tomcat -keystore c:/apps/jdk/jre/lib/security/cacerts -storepass changeit

or is it : keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>


or : keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>

or : keytool -importcert -alias abc -file ABCCA.cer



Which is it ???

And what is the difference between KEYSTORE and CACERT ???


I am just so confused!!
 
Stephen Stone
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I got the LDAP connection working on my IDM.

"Test Connection Succeeded"


However, when I try to create a new User on the LDAP Resource, I get the following error :


javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



Does anyone have an idea what this could mean?

Thanks
 
Politics n. Poly "many" + ticks "blood sucking insects". Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic