Wireshark protocol filter ldaps1/17/2024 ![]() Part of the reason you were having issues is because you want to use a wildcard DNS name. But doing that on the RootCA is equally important for the same reasons. Remember, however, this is just so users connecting to your gateway are presented properly and has nothing to do with the LDAP connection. This ensure that no matter which way to connect, you are presented with a properly secure website. ![]() For us, this was adding all DNS names, as well as IP addresses we could be communicating on. It’s important in the certificate request process that you include all names and aliases your gateway will be functioning as, otherwise browsers will show you the “bad certificate” message and require your users to accept to bypass the warning. One thing that has changed in the certificate generation process is the use of Subject Alternative Names. Getting yours generated appropriately is also important, as that is how the domain controller validates you. When Java receives it, it has to know how to validate it, and the RootCA and the intermediate certificates is how it does this. The biggest reason for adding the RootCA and the one generated for your specific instance is Java knows how to trust the certificates that will be coming from your domain controller. If you have tips on that, I’d appreciate that. I have used KeyStore Explorer too, but I hadn’t figured out a way to generate the request to get a certificate from the AD Domain Controller properly. In the end, I ended up specifying the domain controller host IP address in the configuration and added a SAN (subject alternate name) in the certificate. I hypothesize that Ignition expects a 3 part domain name as was ignoring the first part of my 4 part domain name. To me it looks like this is a bug in Ignition. The error message, “No subject allternate DNS name matching found.” The name subject name on the returned certificate was. After restarting Ignition, log information on the connection shows up in the wrapper log in the logs directory. The line added was .2=“ssl,handshake,trustmanager”. By adding a line line to the nfig file I was able to see that the correct certificate was being returned and that it was being rejected - more on that below. There was no apparent reason.Įventually I came across a few posts that describe how to get debug information out of the JRE. I could see Ignition trying to connect to the domain controller in WireShark (monitored port 636) and kept seeing that the returned certificate was being rejected. I was still not able to get the connection to the AD domain controller working even after putting the CA certificate into the cacerts file and restarting Ignition. I put the CA root certificate into the JRE cacerts file as you suggested. I found using KeyStore Explorer much easier to use than keytool. It was not smooth sailing even with the tips in your post a summary of my journey: Thank you for your post - it helped me out a log in getting my AD LDAP authentication working. ![]() What happens when the certificate expires and it is replaced? Does dropping the new certificate into the suplemental folder and restarting the Gateway will handle it automatically or does one have to delete the certificate from cacerts manually? Just substitue file_name.extension with the name of your certificate file. \lib\security\cacerts -alias file_name.extension \lib\security\cacertsīut to filter the list, you can use the alias which in my case was the file name and extension Security Protocol: SSL (although Auto worked on a recent 8.0.14 installation).Īnd to check if the certificate was imported correctly, I ran the following command under the lib\runtime\jre-win\bin folder:.Primary Domain Controller Port: I have successfully used both 6.If that didn’t work for you, maybe you can check the following settings: As both and have mentioned, just by dropping the certificate into the data\certificates\supplemental folder, and restarting the Gateway did the trick for me.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |