|
Problem(Abstract) |
The following error is encountered when connecting to LDAP
server over a SSL port.
[8/24/05 12:08:33:991 CDT] 78e0c40b LdapRegistryI E SECJ0352E: Could not
get the users matching the pattern
CN=SVC_PORTAL_WPSBIND,OU=Portal,OU=Applications,OU=Servers,DC=extranet,D
C=myName,DC=myCompany,DC=com because of the following exception
javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:77)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:435)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:357)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2657) |
|
Cause |
Enabling JSSE tracing revealed that the problem had to do
with a certificate that was sent by LDAP server which did not exist in the
truststore defined by the application making the call to LDAP server.
The JSSE tracing shows the following error:
[10/14/05 9:28:09:599 CDT] 63daf428 SystemOut O Alert: fatal, unknown
certificate
Further down the following exception is thrown:
[10/14/05 9:28:09:652 CDT] b473429 LdapRegistryI E SECJ0352E: Could not
get the users matching the pattern
CN=SVC_PORTAL_WPSBIND,OU=Portal,OU=Applications,OU=Servers,DC=extranet,DC=myName,DC=myCompany,DC=com
because of the following exception javax.naming.CommunicationException:
simple bind failed: prodldap.myCompany.com:3269. Root exception is
java.net.SocketException: Socket is closed
at java.net.Socket.getSoTimeout(Socket.java:964)
at com.ibm.sslite.bf.getSoTimeout(bf.java:99)
at com.ibm.sslite.bf.a(bf.java:90)
at com.ibm.sslite.bf.<init>(bf.java:59)
at com.ibm.jsse.bs.a(bs.java:151)
at com.ibm.jsse.b.a(b.java:17)
at com.ibm.jsse.b.write(b.java:2)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:86)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:144)
In this particular case, the truststore being used was CACERTS file
(portal server trying to make a connection to LDAP). This file did not
have the certificate that LDAP was sending.
|
|
Resolving the
problem |
JSSE tracing will show the certificate that is causing the
failure. For example:
Validity: [From: Wed Sep 29 15:39:44 CDT 2004,
To: Tue Sep 29 15:47:18 CDT 2009]
Issuer: CN=myCN, DC=myName, DC=myCompany, DC=com
SerialNumber: [5904293442183922833992586030648821329]
1. Export the above certificate from LDAP
2. Import the above certificate in CACERTS file using IKEYMAN located
in bin dir of wasroot.
Refer to following technote for detailed steps on exporting and
importing certificates into CACERTS file: Certificate
Missing from CACERTS file, Unknown Certificate Error.
|
|
|