Welcome, Guest Login

Rundeck Enterprise Support Center

Configuring Tomcat for LDAPS

Last Updated: May 18, 2016 01:41PM PDT

Overview

You need to configure Tomcat to connect to your Active Directory server using LDAPS.


Configure LDAPS

Check the follow document to enable LDAPS and create a certificate.


http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx



Export the certificate from Active Directory

 
  1. Click Start, type mmc and then click OK.
  2. Click File and then click Add/Remove Snap-in.
  3. Click Certificates and then click Add.
  4. Select Service account and then click Next.

  
  1. In the Select Computer dialog box,  select Local computer if you are working on the local computer, or select Another computer  to find the remote computer.

  1. Select Active Directory Domain Services and then click Finish.

  1. Expand Certificates - Services (Active Directory Domain Services) and then click NTDS\Personal.Right-click NTDS\Personal, click All Tasks, and then click Export

  1. On the Certificate Export Wizard welcome screen, click Next.


 
  1. Export the certificate in .cer format

  1. Save the certificate



 

Import the certificate into java keystore


Generate the truststore key in order to use it in the tomcat context.
Run the follow command:

keytool  -import -trustcacerts -alias @ALIAS_NAME@  -file @CERTIFICATE_NAME.cer@ -keystore @CERT_PATH@/@KEYSTORE_NAME@


Where @CERTIFICATE_NAME.cer@ is the certificate exported in the previous step


Add the keystore to tomcat 


Added to the toncat.conf  or setenv.sh, depending on the instalation type.

eg: 
 $CATALINA_BASE/conf/tomcat.conf  (.rpm install)

Use JAVA_OPTS to set java.library.path for libtcnative.so
#JAVA_OPTS="-Djava.library.path=/usr/lib"
JAVA_OPTS=" -XX:MaxPermSize=256m -Xmx1024m -Xms256m -server -Djavax.net.ssl.trustStore=
@CERT_PATH@/@KEYSTORE_NAME@  -Drdeck.base=$RDECK_HOME -Drundeck.config.location=$RDECK_HOME/etc/rundeck-config.properties "
 

eg:  $CATALINA_BASE/bin/setenv.sh (.deb install)

CATALINA_PID="$CATALINA_BASE/logs/catalina.pid"

CATALINA_OPTS="-Drdeck.base=$RDECK_HOME -Drundeck.config.location=$RDECK_HOME/etc/rundeck-config.properties"
JAVA_OPTS="-server -Xmx1024m -Djavax.net.ssl.trustStore=
@CERT_PATH@/@KEYSTORE_NAME@"

 

Configure Tomcat JNDI Realm


In the $CATALINA_BASE/server/conf/server.xml specifing the connectionURL using the ldaps address:

<Realm className="org.apache.catalina.realm.CombinedRealm">
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
        resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JNDIRealm"
         connectionName="CN=
@USERNAME@,CN=Users,DC=WindowsVirtual,DC=local"
         connectionPassword="
@PASSWORD@"
         connectionURL="ldaps://
@LDAPSERVER@:636"
         referrals="follow"
         userBase="CN=Users,DC=WindowsVirtual,DC=local"
         userSearch="(sAMAccountName={0})"
         userSubtree="true"
         roleBase="CN=Roles,DC=WindowsVirtual,DC=local"
         roleName="cn"
         roleSearch="(member={0})"
         roleSubtree="true"
         roleNested="true"
         commonRole="user"
     />
</Realm>

This example allow to use both authentication methods, LDAPS and tomcat-users.xml


Troubleshooting


In order to test the connection with LDAPS server, it could be used the folow java class:

1. Download SSLPoke class:

https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

2. Test the connection using the certificate:

java -Djavax.net.ssl.trustStore=cacerts_ldapcertificate  SSLPoke 192.168.0.5 636 


 

 

 
 
 
 
1fb43f9155a47800b95738aff7e657fc@rundeck.desk-mail.com
http://assets3.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete