我现在要用JAVA 实现LDAP 的双向SSL。我现在已经实现了从客户机认证服务器,但是通过证书认证客户机没有实现。系统报[LDAP: error code 49 - client certificate mapping failed
系统的ACCESS。LOG 文件显示
[17/Oct/2003:09:43:47 +0800] conn=0 fd=844 slot=844 connection from 192.168.0.26 to 192.168.0.26
[17/Oct/2003:09:43:47 +0800] conn=0 op=0 BIND dn= uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot method=128 version=3
[17/Oct/2003:09:43:47 +0800] conn=0 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn= uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
[17/Oct/2003:09:44:34 +0800] conn=1 fd=864 slot=864 SSL connection from 192.168.0.26 to 192.168.0.26
[17/Oct/2003:09:44:34 +0800] conn=1 SSL 128-bit RC4; client CN=kangxxx aa, OU=No Liability as per http://freecerts.entrust.com/license.htm, OU=Entrust/Web Connector, OU=Entrust PKI Demonstration Certificates, O=Entrust, C=US; issuer OU=Entrust PKI Demonstration Certificates, O=Entrust, C=US
[17/Oct/2003:09:44:34 +0800] conn=1 SSL failed to map client certificate to LDAP DN
[17/Oct/2003:09:44:34 +0800] conn=1 op=0 BIND dn= method=sasl version=3 mech=EXTERNAL
[17/Oct/2003:09:44:34 +0800] conn=1 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[17/Oct/2003:09:44:34 +0800] conn=1 op=1 fd=864 closed - A1
我是这样做的:
1从ENTRUST 下载并安装了一张客户机SSL证书,将其导出一个CLIENT.PFX文件,然后将CLIENT.PFX导入到KEYSTORE中,将根证也导入KEYSTORE
并将这张证书导出为 CLIENT.CER
2 将根证导入TRUSTSTORE中。
以下是我连接的代码:
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty( javax.net.ssl.keyStorePassword , 11111111"
;
//将SSL客户证书导入(将PFX格式文件导入STORE(使用SSKEYTOOL),导入CA证书)
System.setProperty( javax.net.ssl.keyStore , c:/downloads/storejks/clientstore.jks"
;
//导入CA证书
System.setProperty( javax.net.ssl.trustStore , c:/downloads/storejks/castore.jks"
;
LDAPRepository certrep=new LDAPRepository ();
Properties p=new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory"
;
p.put(Context.PROVIDER_URL, ldaps://192.168.0.26:636 );
p.put(Context.SECURITY_PROTOCOL, ssl"
;
p.put(Context.SECURITY_AUTHENTICATION, EXTERNAL"
;
3 配置 CERTMAP.CONF文件
certmap default default
default
NComps o
default:FilterComps uid
default:verifycert on
#default:CmapLdapAttr certSubjectDN
#default:library path_to_shared_lib_or_dll
#default:InitFn Init function's name
certmap gg OU=Entrust PKI Demonstration Certificates, O=Entrust, C=US
gg
NComps o
gg:FilterComps uid
gg:verifycert on
#aa:CmapLdapAttr
#default:library path_to_shared_lib_or_dll
#default:InitFn Init function's name
4 建立一用户 uid=steffo,ou=people,o=infosec.com.cn,并授权对o=infosec.com.cn 的全部权利
并且为其添加了属性 userCertificate;binary( object >
证书的值为上面导出的证书 CLIENT.CER |