Hi all
apache-tomcat-8.0.36
java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
We are having a problem with our Single sign On config.
When using ldap - all works well.
When switiching to ldaps , the User loses to connection all together (Server
not reachable)
server.xml
Good:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://xxxxx.xxxx.com:3268";
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch
"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
bad:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://xxxxx.xxxx.com:3269"
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
Connectivity to the DC is fine (ldapsearch with ldaps works), SSL connection
itself seems to be fine, Certificates are fine, we are sending the trustore as
well. All is in the relevant cacerts too.
We have a https Server in Front and a proxy Setting to the tomcat.
/usr/java/latest/bin/java
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks
-Djavax.net.ssl.trustStorePassword=xxxxxx -Djdk.tls.ephemeralDHKeySize=2048
-Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false
-Duser.timezone=Europe/Berlin
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath
/opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
-Dcatalina.base=/opt/tomcat/tomcat8_appway1
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
org.apache.catalina.startup.Bootstrap start
Domain controller seems to close the connection. The Error is "The Parameter is
incorrect", "The System cannot find the path specified." Its seems to happen,
during the bind process, as if the DC can not decrypt our tomcat request:
First two events are happening several times. After the last anonymous bind is
entered, the bind exited is done with the appway service account user. Right
after that the error appears.
Internal event: Function ldap_bind entered.
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx:51240
Operation identifier: 894498
Data1:
Data2: 1004335171
Data3:
Data4:
Internal event: Function ldap_bind exited.
Elapsed time (ms): 0
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335171
Data3: 1004335171
Internal event: Function ldap_bind entered.
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335203
Data3:
Data4:
Internal event: Function ldap_bind exited.
Elapsed time (ms): 0
SID: S-1-5-21-576815021-3137181063-3029416097-6939
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335203
Data3: 1004335203
Then we see the same error events like we saw before already with the normal
log level
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap message, data 0,
v2580
Internal event: An LDAP client connection was closed because of an error.
Client IP:
11.1xx.xxx.xxx::51240
Additional Data
Error value:
87 The parameter is incorrect.
Internal ID:
c0c0095
In the App Log of the tomcat we see:
/opt/tomcat/tomcat8_appway1/logs
localhost.2021-03-22.log
22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2]
org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1]
CompressingFilter is being destroyed...
22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log No Spring
WebApplicationInitializer types detected on classpath
22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1]
CompressingFilter has initialized
22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using policy
access restrictor classpath:/jolokia-access.xml
22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6]
org.apache.catalina.realm.JNDIRealm.authenticate Exception performing
authentication
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
DSID-0C0907E9, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, v2580^@]; remaining name
'DC=BCINTRA,DC=CH'
22-Mar-2021 10:16:18.580 SEVERE [http-nio-8080-exec-8]
org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing
authentication
javax.naming.NamingException: LDAP connection has been closed; remaining name
'DC=BCINTRA,DC=CH'
What are we missing?
Thank you
Susan Wood
____________________________________________________________________________
System Engineering
Telefon +41-58-223 70 83
Mobile +41-79-375 34 58
susan.w...@swisscom.com<mailto:susan.w...@swisscom.com>
____________________________________________________________________________
Swisscom (Schweiz) AG
Business Customers
Solution Center Banking
Ey 10
3063 Ittigen
www.swisscom.com
Postadresse:
Postfach
3050 Bern
