1
새 WSO2IS 4.1.0 서버를 설정하고 OpenLDAP 서버에 다시 연결하려고합니다. 우리 서버에는 SSL 연결이 필요합니다.OpenLDAP 및 SSL을 사용하는 WSO2 Identity Server
연결을 LDAPS 연결로 구성하면 인증서를 확인할 수 없습니다 (예 : 루트 CA가 신뢰 저장소에 있음). LDAPS에 연결을 설정하지 않으면 StartTLS를 시도하지 못합니다. 클라이언트 계정에 나열된 루트 CA로 연결 계정이 작동하고 LDAP 서버에 상업적으로 발급 된 인증서가 있다는 것을 확인했습니다. (example.com 도메인에서 속일 수 있도록 허락합니다.)
모두 이것을 알아내는 데 도움이 될 것입니다!
여기 여기 서버 로그 여기
[2013-02-28 03:48:32,380] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Starting WSO2 Carbon...
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Operating System : Linux 2.6.32-358.el6.x86_64, amd64
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Home : /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Version : 1.7.0_09-icedtea
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java VM : OpenJDK 64-Bit Server VM 23.7-b01,Oracle Corporation
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Carbon Home : /opt/wso2is/wso2is
[2013-02-28 03:48:32,384] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Temp Dir : /opt/wso2is/wso2is/tmp
[2013-02-28 03:48:32,384] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - User : wso2is, en-US, Zulu
[2013-02-28 03:48:32,416] WARN {org.wso2.carbon.core.bootup.validator.SystemValidator} - Could not validate the system for configuration parameter : CPU
[2013-02-28 03:48:32,417] WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} - Maximum free Disk Space (MB): 665 of the system is below the recommended minimum size :1024
[2013-02-28 03:48:32,427] INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} - Agent created !
[2013-02-28 03:48:32,446] INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} - Successfully deployed Agent Client
[2013-02-28 03:48:32,515] INFO {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator} - Integrated Windows Authenticator enabled in the system
[2013-02-28 03:48:32,581] INFO {org.wso2.carbon.ldap.server.DirectoryActivator} - Embedded LDAP is disabled.
[2013-02-28 03:48:34,547] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Error obtaining connection. simple bind failed: ldapserver.example.com:636
javax.naming.CommunicationException: simple bind failed: ldapserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContextFactory.getInitialContext(CarbonContextDataHolder.java:834)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:114)
at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.<init>(ReadWriteLDAPUserStoreManager.java:133)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:225)
at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:147)
at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:113)
at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:103)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:116)
at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:67)
at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711)
at java.security.AccessController.doPrivileged(Native Method)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683)
at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381)
at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:389)
at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1130)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
at com.sun.jndi.ldap.Connection.run(Connection.java:849)
at java.lang.Thread.run(Thread.java:722)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 18 more
[2013-02-28 03:48:34,556] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Trying again to get connection.
의 일부는 내가 일반의 LDAP는 connectionURL에 그것을 전환하는 경우 내가 무엇을 얻을의 LDAP 구성
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="ConnectionURL">ldaps://ldapserver.example.com:636</Property>
<!--Property name="ConnectionURL">ldap://ldapserver.example.com:389</Property-->
<Property name="ConnectionName">uid=wso2,dc=example,dc=com</Property>
<Property name="ConnectionPassword">awesomepassword</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property name="UserSearchBase">ou=Users,dc=opendaylight,dc=org</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="WriteLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="GroupSearchBase">ou=Groups,dc=example,dc=com</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="maxFailedLoginAttempt">0</Property>
</UserStoreManager>
내 현재 구성 세그먼트의
[2013-02-28 04:22:21,491] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Starting WSO2 Carbon...
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Operating System : Linux 2.6.32-358.el6.x86_64, amd64
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Home : /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Version : 1.7.0_09-icedtea
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java VM : OpenJDK 64-Bit Server VM 23.7-b01,Oracle Corporation
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Carbon Home : /opt/wso2is/wso2is
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Temp Dir : /opt/wso2is/wso2is/tmp
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - User : wso2is, en-US, Zulu
[2013-02-28 04:22:21,524] WARN {org.wso2.carbon.core.bootup.validator.SystemValidator} - Could not validate the system for configuration parameter : CPU
[2013-02-28 04:22:21,525] WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} - Maximum free Disk Space (MB): 665 of the system is below the recommended minimum size :1024
[2013-02-28 04:22:21,541] INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} - Agent created !
[2013-02-28 04:22:21,562] INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} - Successfully deployed Agent Client
[2013-02-28 04:22:21,624] INFO {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator} - Integrated Windows Authenticator enabled in the system
[2013-02-28 04:22:22,711] INFO {org.wso2.carbon.ldap.server.DirectoryActivator} - Embedded LDAP is disabled.
[2013-02-28 04:22:27,432] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Error obtaining connection. [LDAP: error code 13 - confidentiality required]
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality required]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3078)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContextFactory.getInitialContext(CarbonContextDataHolder.java:834)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:114)
at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.<init>(ReadWriteLDAPUserStoreManager.java:133)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:225)
at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:147)
at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:113)
at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:103)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:116)
at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:67)
at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711)
at java.security.AccessController.doPrivileged(Native Method)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683)
at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381)
at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:389)
at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1130)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)
[2013-02-28 04:22:27,437] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Trying again to get connection.
루트 CA에서 인증서를 확인할 수 없다는 문제 (둘 다 트러스트 스토어에 있음)를 통해 대상 LDAP의 공용 인증서를 가져 오는 것이 주변에서 발생하지 않는다는 것을 알았습니다 문제. 이것은 특히 인증서가 1 년 동안 만 유효하고 CA는 훨씬 오래 동안 유효하기 때문에 이것을 다루는 좋은 방법은 아닙니다! – tykeal