在文章Configuring OpenLDAP as external user store of WSO2 IS 4.6.0一文中使用ldap连接数据库,当设置成ldaps时,将产生如下错误信息:

[2014-04-08 13:23:34,237] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} -  Error obtaining connection. simple bind failed: ldap.crscd.org:636
javax.naming.CommunicationException: simple bind failed: ldap.crscd.org:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.s
ecurity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

此时需要导入OpenLDAP服务器相对应的CA证书,本系统使用StartSSL Class1的免费证书,因此需要导入StartSSL的根证书。

root@wso2:~/wso2is-4.6.0/repository/resources/security#  keytool -import -v -trustcacerts -storepass wso2carbon -alias "StartSSL CA" -file /tmp/ca.pem -keystore client-truststore.jks
Owner: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Issuer: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Serial number: 1
Valid from: Sun Sep 17 19:46:36 UTC 2006 until: Wed Sep 17 19:46:36 UTC 2036
Certificate fingerprints:
         MD5:  22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
         SHA1: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
         SHA256: C7:66:A9:BE:F2:D4:07:1C:86:3A:31:AA:49:20:E8:13:B2:D1:98:60:8C:B7:B7:CF:E2:11:43:B8:36:DF:09:EA
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 29 53 74 61 72 74 43   6F 6D 20 46 72 65 65 20  .)StartCom Free
0010: 53 53 4C 20 43 65 72 74   69 66 69 63 61 74 69 6F  SSL Certificatio
0020: 6E 20 41 75 74 68 6F 72   69 74 79                 n Authority


#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://cert.startcom.org/sfsca-crl.crl]
, DistributionPoint:
     [URIName: http://crl.startcom.org/sfsca-crl.crl]
]]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.23223.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 23 68 74 74 70 3A 2F   2F 63 65 72 74 2E 73 74  .#http://cert.st
0010: 61 72 74 63 6F 6D 2E 6F   72 67 2F 70 6F 6C 69 63  artcom.org/polic
0020: 79 2E 70 64 66                                     y.pdf
], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 81 C3 30 27 16 20 53   74 61 72 74 20 43 6F 6D  0..0'. Start Com
0010: 6D 65 72 63 69 61 6C 20   28 53 74 61 72 74 43 6F  mercial (StartCo
0020: 6D 29 20 4C 74 64 2E 30   03 02 01 01 1A 81 97 4C  m) Ltd.0.......L
0030: 69 6D 69 74 65 64 20 4C   69 61 62 69 6C 69 74 79  imited Liability
0040: 2C 20 72 65 61 64 20 74   68 65 20 73 65 63 74 69  , read the secti
0050: 6F 6E 20 2A 4C 65 67 61   6C 20 4C 69 6D 69 74 61  on *Legal Limita
0060: 74 69 6F 6E 73 2A 20 6F   66 20 74 68 65 20 53 74  tions* of the St
0070: 61 72 74 43 6F 6D 20 43   65 72 74 69 66 69 63 61  artCom Certifica
0080: 74 69 6F 6E 20 41 75 74   68 6F 72 69 74 79 20 50  tion Authority P
0090: 6F 6C 69 63 79 20 61 76   61 69 6C 61 62 6C 65 20  olicy available
00A0: 61 74 20 68 74 74 70 3A   2F 2F 63 65 72 74 2E 73  at http://cert.s
00B0: 74 61 72 74 63 6F 6D 2E   6F 72 67 2F 70 6F 6C 69  tartcom.org/poli
00C0: 63 79 2E 70 64 66                                  cy.pdf

]]  ]
]

#5: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Key_Agreement
  Key_CertSign
  Crl_Sign
]

#6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4E 0B EF 1A A4 40 5B A5   17 69 87 30 CA 34 68 43  N....@[..i.0.4hC
0010: D0 41 AE F2                                        .A..
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing client-truststore.jks]

导入成功后,重启WSO2 IS即连接正常。

文章目录