Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-26215

Update JLDAP trust store to allow dynamic certificate reloads

    XMLWordPrintable

    Details

    • Type: Feature Request
    • Status: CLOSED
    • Priority: Minor
    • Resolution: No Resources
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Providers
    • Labels:
      None

      Description

      Just throwing this out there to see if anyone's thought about it.

      We sometimes have an issue where in the middle of the day either an automated or manual process will change the certificate on an LDAP SSL endpoint. This causes the continuing stack trace

      javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.novell.ldap.Connection.writeMessage(Unknown Source)

      Until the server is restarted, even if the new certificate is added to be trusted. (For example with this script http://nodsw.com/blog/leeland/2006/12/06-no-more-unable-find-valid-certification-path-requested-target)

      I believe we could use a custom dynamic trust store (http://jcalcote.wordpress.com/2010/06/22/managing-a-dynamic-java-trust-store/) which would reload these certificates and allow the server to continue on without having to be restarted.

      Here's the process I think this would need.

      Include the code for this dynamic trust store
      Wrap it in a custom class that extends SSLSocketFactory
      Pass this SSLSocketFactory LDAP and set it

      http://www.novell.com/documentation/developer/jldap/jldapenu/api/com/novell/ldap/LDAPJSSESecureSocketFactory.html

      Haven't actually tried any of this yet, maybe someone else has, or has run into this? We could probably put a "trust all" class too, but this seems safer.

        Gliffy Diagrams

          Zeplin

            Attachments

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  jonespm Matthew Jones
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Git Integration