Ecmascript ldapsearch with SSL / TLS - Micro Focus Community

kuronen · ‎2019-01-23

Did anyone implement TLS / SSL in their Ecmascript ldapsearch? It does not look very complicated and seems to be doable at least with LDAPJSSEStartTLSFactory.

__________
Pekka Kuronen
Pegasi Oy / pegasi.fi

lhaeger · ‎2019-01-23

kuronen wrote:

>
> Did anyone implement TLS / SSL in their Ecmascript ldapsearch? It does
> not look very complicated and seems to be doable at least with
> LDAPJSSEStartTLSFactory.

I have a packaged version available in my publich repo at
https://www.brummelhook.com/download/idm/ (part of "BitsNdPieces"
v1.0.9.20160407105251) and I believe one of the standard packages from NetIQ
now supports TLS, too. Sorry, I forget it's exact name, part of the AJC-ECMA
package, maybe?

______________________________________________
https://www.is4it.de/identity-access-management

kuronen · ‎2019-01-23

You've got it in java class but I kinda hoped to do it with ecmascript. Did not see any ldap functions in the latest 4.7.2 advanced java class code. Did I miss something?

But thanks for sharing. May grab it after all.

__________
Pekka Kuronen
Pegasi Oy / pegasi.fi

lhaeger · ‎2019-01-23

kuronen wrote:

> You've got it in java class but I kinda hoped to do it with ecmascript.

Nope, it's an ECMA resource in a library. Add
https://www.brummelhook.com/download/idm/ as an Online-Repo to Designer, then
run Help - Check for Package Updates....

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)

______________________________________________
https://www.is4it.de/identity-access-management

lhaeger · ‎2019-01-23

Lothar Haeger wrote:

> Add https://www.brummelhook.com/download/idm/ as an Online-Repo to Designer

Well, https://www.brummelhook.com/download/idm/packages/ would be the correct
URL...

______________________________________________
https://www.is4it.de/identity-access-management

kuronen · ‎2019-01-23

Still experimenting here.. and it looks like using InitialDirContext makes LDAP a breeze as I got it calling server LDAP in minutes but I am stuck in one problem. It seems that I cannot get keystore data to the java ldap operations with:


	var props = new java.util.Properties(System.getProperties());
	props.setProperty("javax.net.ssl.trustStore", "/tmp/cacerts");
	props.setProperty("javax.net.ssl.trustStorePassword","xxx");
	props.setProperty("javax.net.ssl.keyStore", "/tmp/cacerts");
	props.setProperty("javax.net.ssl.keyStorePassword","xxx");

Is that the right way to set java System.properties in Ecmascript? I tried outputting System.getProperties after setting the above:


return System.getProperty("javax.net.ssl.keyStore");

But got null. I probably can just set the values in the init files and use the already included keystore but that left me wondering.

__________
Pekka Kuronen
Pegasi Oy / pegasi.fi

lhaeger · ‎2019-01-23

kuronen wrote:

> It seems that I cannot get keystore data to the
> java ldap operations with:

You need to restart Edirectory for the ECMA to pick up changes to the keystore,
unfortunately.

> Is that the right way to set java System.properties in Ecmascript?

It's one way to do it and it works. 🙂 I'm pretty sure it's possible to
implement without setting the system keystore, but I've never come around to
implement it. If you can make it happen, please share your code!

______________________________________________
https://www.is4it.de/identity-access-management

cpedersen · ‎2019-01-23

On 23.01.19 16:11, Lothar Haeger wrote:
> kuronen wrote:
>
>> It seems that I cannot get keystore data to the
>> java ldap operations with:
>
> You need to restart Edirectory for the ECMA to pick up changes to the keystore,
> unfortunately.
>
>> Is that the right way to set java System.properties in Ecmascript?
>
> It's one way to do it and it works. 🙂 I'm pretty sure it's possible to
> implement without setting the system keystore, but I've never come around to
> implement it. If you can make it happen, please share your code!
>

You might get around the system cacert by using SSL instead of TLS.

This is what I do with Java:

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.ssl.trustStore", keystorePath);
System.setProperty("javax.net.ssl.trustStorePassword",keystorePassword);
ssf = new LDAPJSSESecureSocketFactory();
LDAPConnection.setSocketFactory(ssf);

I am not sure about the addProvider, as I've been using this for years.

But I do not have to import anything into my system cacerts file.

Casper

geoffc · ‎2019-01-23

On 1/23/2019 8:04 AM, kuronen wrote:
>
> You've got it in java class but I kinda hoped to do it with ecmascript.

Well, it is ECMA calling Java. 🙂 I am not sure you will see a pure
ECMA implementation. But if you do, please report back.

> Did not see any ldap functions in the latest 4.7.2 advanced java class
> code. Did I miss something?

IT is callled LDAP Common.
Package Catalog
Common
ECMAScript
NOVLLIBLDP

> But thanks for sharing. May grab it after all.
>
>

kuronen · ‎2019-01-24

This does the trick:


java.lang.System.setProperty("javax.net.ssl.trustStore", path);

I was setting env to an instance I never used. Thanks for your help and insights.

__________
Pekka Kuronen
Pegasi Oy / pegasi.fi

lhaeger · ‎2019-01-24

kuronen wrote:

> This does the trick:
>
>
> Code:
> --------------------
>
> java.lang.System.setProperty("javax.net.ssl.trustStore", path);
>
> --------------------
>
>
> I was setting env to an instance I never used. Thanks for your help and
> insights.

Just be aware that this sets the truststore for all ECMA running on any driver.
We've had a situation where a different ldapsearch configs were used by two
drivers and one of them always failed with cert issues. Until we found out that
the driver started first wins and only it's truststore is used by all drivers
until you restart edirectory (when again the first driver starting wins). After
alwe set a system property and not anything limited to the ECMA instance or
driver only. That's also why you need to bounce edir to activate changed to the
truststore and a driver restart is not enough, I guess.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)

______________________________________________
https://www.is4it.de/identity-access-management

kuronen · ‎2019-01-24

lhaeger;2494233 wrote:
kuronen wrote:

> This does the trick:
>
>
> Code:
> --------------------
>
> java.lang.System.setProperty("javax.net.ssl.trustStore", path);
>
> --------------------
>
>
> I was setting env to an instance I never used. Thanks for your help and
> insights.

Just be aware that this sets the truststore for all ECMA running on any driver.
We've had a situation where a different ldapsearch configs were used by two
drivers and one of them always failed with cert issues. Until we found out that
the driver started first wins and only it's truststore is used by all drivers
until you restart edirectory (when again the first driver starting wins). After
alwe set a system property and not anything limited to the ECMA instance or
driver only. That's also why you need to bounce edir to activate changed to the
truststore and a driver restart is not enough, I guess.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)

Very good point, thanks. I was exploring the option but decided to add the certificates to the IDM keystore.

Doing ldap search with SSL seems more straightforward with InitialDirContext and can recommend it.

__________
Pekka Kuronen
Pegasi Oy / pegasi.fi