Active Directory 證書導入成功,但 LDAP 身份驗證仍然失敗
我很難找到這個問題的根源。我們將 LDAP 用於多種服務(confluence、bamboo、sonar、gerrit 等)的身份驗證。我們的 LDAP 服務提供商是 Active Directory。我已經設置了所有服務並使用 LDAP 和 JDK 1.6.0_24。沒有身份驗證問題。
最近我們嘗試升級到最新版本的 JDK,1.6.0_31。我對舊 JDK 重複相同的步驟以從 Active Directory 導入 LDAP 可信證書:
Windows Navigate to the directory in which Java is installed. It's probably called something like C:\Program Files\Java\jdk1.5.0_12. Run the command below, where server-certificate.crt is the name of the file from your directory server: keytool -import -keystore .\jre\lib\security\cacerts -file server-certificate.crt keytool will prompt you for a password. The default keystore password is changeit. When prompted Trust this certificate? [no]: enter yes to confirm the key import: Enter keystore password: changeit Owner: CN=ad01, C=US Issuer: CN=ad01, C=US Serial number: 15563d6677a4e9e4582d8a84be683f9 Valid from: Tue Aug 21 01:10:46 ACT 2007 until: Tue Aug 21 01:13:59 ACT 2012 Certificate fingerprints: MD5: D6:56:F0:23:16:E3:62:2C:6F:8A:0A:37:30:A1:84:BE SHA1: 73:73:4E:A6:A0:D1:4E:F4:F3:CD:CE:BE:96:80:35:D2:B4:7C:79:C1 Trust this certificate? [no]: yes Certificate was added to keystore
說明來自:
http://confluence.atlassian.com/display/DOC/Configuring+an+SSL+Connection+to+Active+Directory
我將 JAVA_HOME 和 PATH 變數設置為新的 JDK:
JAVA_HOME=C:\Program Files\Java\jdk1.6.0_31 PATH=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;c:\development\ant\bin;C:\development\tools\SysinternalsSuite;C:\Program Files\Java\jdk1.6.0_31\bin
當我啟動任何一項現有服務時。我的日誌載入了 LDAP 身份驗證錯誤:
原因:sun.security.validator.ValidatorException:PKIX 路徑建構失敗:sun.security.provider.certpath.SunCertPathBuilderException:無法找到請求目標的有效證書路徑
所有服務都出現相同的錯誤。顯然,路徑和導入的證書發生了一些事情。使用 keytool 我檢查以確保我的 LDAP 證書正確導入,“mykey”。它顯示它已成功導入為受信任的證書:
C:\Program Files\Java\jdk1.6.0_31\jre\lib\security>keytool -list -keystore cac ts Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 77 entries digicertassuredidrootca, Jan 7, 2008, trustedCertEntry, Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72 trustcenterclass2caii, Jan 7, 2008, trustedCertEntry, Certificate fingerprint (MD5): CE:78:33:5C:59:78:01:6E:18:EA:B9:36:A0:B9:2E:23 thawtepremiumserverca, Dec 2, 2009, trustedCertEntry, Certificate fingerprint (MD5): A6:6B:60:90:23:9B:3F:2D:BB:98:6F:D6:A7:19:0D:46 swisssignplatinumg2ca, Aug 13, 2008, trustedCertEntry, Certificate fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6 swisssignsilverg2ca, Aug 13, 2008, trustedCertEntry, Certificate fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13 thawteserverca, Dec 2, 2009, trustedCertEntry, Certificate fingerprint (MD5): EE:FE:61:69:65:6E:F8:9C:C6:2A:F4:D7:2B:63:EF:A2 equifaxsecureebusinessca1, Jul 18, 2003, trustedCertEntry, Certificate fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D utnuserfirstclientauthemailca, May 2, 2006, trustedCertEntry, Certificate fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7 thawtepersonalfreemailca, Dec 2, 2009, trustedCertEntry, Certificate fingerprint (MD5): 53:4B:1D:17:58:58:1A:30:A1:90:F8:6E:5C:F2:CF:65 entrustevca, Apr 28, 2009, trustedCertEntry, Certificate fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4 utnuserfirsthardwareca, May 2, 2006, trustedCertEntry, Certificate fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39 certumca, Feb 10, 2009, trustedCertEntry, Certificate fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9 entrustrootcag2, Jun 22, 2010, trustedCertEntry, Certificate fingerprint (MD5): 4B:E2:C9:91:96:65:0C:F4:0E:5A:93:92:A0:0A:FE:B2 addtrustclass1ca, May 2, 2006, trustedCertEntry, Certificate fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC equifaxsecureca, Jul 18, 2003, trustedCertEntry, Certificate fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 quovadisrootca3, Jun 9, 2009, trustedCertEntry, Certificate fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF quovadisrootca2, Jun 9, 2009, trustedCertEntry, Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX mykey, Apr 25, 2012, trustedCertEntry, ...
最新的 1.6 JDK 中是否發生了一些更改以破壞預設證書驗證?這個過程如何在 24 版本中工作,而在 31 版本中卻失敗了?
任何幫助是極大的讚賞。謝謝!
哇,已經想通了。顯然,JDK 安裝程序在 C:\Program Files\Java\jre6 中部署了一個額外的 JRE 安裝,其中包括最新的 jre 版本。儘管也設置了 JAVA_HOME 和 PATH,但仍在使用該目錄。我不得不將我的證書導入到 C:\Program Files\Java\jre6\lib\security\cacerts 並且一切都重新開始工作。