ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Vice Admiral
Vice Admiral
1021 views

Ecmascript ldapsearch with SSL / TLS

Did anyone implement TLS / SSL in their Ecmascript ldapsearch? It does not look very complicated and seems to be doable at least with LDAPJSSEStartTLSFactory.
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
Labels (1)
0 Likes
11 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

kuronen wrote:

>
> Did anyone implement TLS / SSL in their Ecmascript ldapsearch? It does
> not look very complicated and seems to be doable at least with
> LDAPJSSEStartTLSFactory.


I have a packaged version available in my publich repo at
https://www.brummelhook.com/download/idm/ (part of "BitsNdPieces"
v1.0.9.20160407105251) and I believe one of the standard packages from NetIQ
now supports TLS, too. Sorry, I forget it's exact name, part of the AJC-ECMA
package, maybe?
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Vice Admiral
Vice Admiral

You've got it in java class but I kinda hoped to do it with ecmascript. Did not see any ldap functions in the latest 4.7.2 advanced java class code. Did I miss something?

But thanks for sharing. May grab it after all.
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

kuronen wrote:

> You've got it in java class but I kinda hoped to do it with ecmascript.


Nope, it's an ECMA resource in a library. Add
https://www.brummelhook.com/download/idm/ as an Online-Repo to Designer, then
run Help - Check for Package Updates....

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Lothar Haeger wrote:

> Add https://www.brummelhook.com/download/idm/ as an Online-Repo to Designer


Well, https://www.brummelhook.com/download/idm/packages/ would be the correct
URL...
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Vice Admiral
Vice Admiral

Still experimenting here.. and it looks like using InitialDirContext makes LDAP a breeze as I got it calling server LDAP in minutes but I am stuck in one problem. It seems that I cannot get keystore data to the java ldap operations with:


var props = new java.util.Properties(System.getProperties());
props.setProperty("javax.net.ssl.trustStore", "/tmp/cacerts");
props.setProperty("javax.net.ssl.trustStorePassword","xxx");
props.setProperty("javax.net.ssl.keyStore", "/tmp/cacerts");
props.setProperty("javax.net.ssl.keyStorePassword","xxx");


Is that the right way to set java System.properties in Ecmascript? I tried outputting System.getProperties after setting the above:


return System.getProperty("javax.net.ssl.keyStore");


But got null. I probably can just set the values in the init files and use the already included keystore but that left me wondering.
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

kuronen wrote:

> It seems that I cannot get keystore data to the
> java ldap operations with:


You need to restart Edirectory for the ECMA to pick up changes to the keystore,
unfortunately.

> Is that the right way to set java System.properties in Ecmascript?


It's one way to do it and it works. 🙂 I'm pretty sure it's possible to
implement without setting the system keystore, but I've never come around to
implement it. If you can make it happen, please share your code!
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Admiral
Admiral

On 23.01.19 16:11, Lothar Haeger wrote:
> kuronen wrote:
>
>> It seems that I cannot get keystore data to the
>> java ldap operations with:

>
> You need to restart Edirectory for the ECMA to pick up changes to the keystore,
> unfortunately.
>
>> Is that the right way to set java System.properties in Ecmascript?

>
> It's one way to do it and it works. 🙂 I'm pretty sure it's possible to
> implement without setting the system keystore, but I've never come around to
> implement it. If you can make it happen, please share your code!
>


You might get around the system cacert by using SSL instead of TLS.

This is what I do with Java:

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.ssl.trustStore", keystorePath);
System.setProperty("javax.net.ssl.trustStorePassword",keystorePassword);
ssf = new LDAPJSSESecureSocketFactory();
LDAPConnection.setSocketFactory(ssf);

I am not sure about the addProvider, as I've been using this for years.


But I do not have to import anything into my system cacerts file.



Casper
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

On 1/23/2019 8:04 AM, kuronen wrote:
>
> You've got it in java class but I kinda hoped to do it with ecmascript.


Well, it is ECMA calling Java. 🙂 I am not sure you will see a pure
ECMA implementation. But if you do, please report back.

> Did not see any ldap functions in the latest 4.7.2 advanced java class
> code. Did I miss something?


IT is callled LDAP Common.
Package Catalog
Common
ECMAScript
NOVLLIBLDP

> But thanks for sharing. May grab it after all.
>
>


0 Likes
Vice Admiral
Vice Admiral

This does the trick:


java.lang.System.setProperty("javax.net.ssl.trustStore", path);


I was setting env to an instance I never used. Thanks for your help and insights.
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

kuronen wrote:

> This does the trick:
>
>
> Code:
> --------------------
>
> java.lang.System.setProperty("javax.net.ssl.trustStore", path);
>
> --------------------
>
>
> I was setting env to an instance I never used. Thanks for your help and
> insights.


Just be aware that this sets the truststore for all ECMA running on any driver.
We've had a situation where a different ldapsearch configs were used by two
drivers and one of them always failed with cert issues. Until we found out that
the driver started first wins and only it's truststore is used by all drivers
until you restart edirectory (when again the first driver starting wins). After
alwe set a system property and not anything limited to the ECMA instance or
driver only. That's also why you need to bounce edir to activate changed to the
truststore and a driver restart is not enough, I guess.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Vice Admiral
Vice Admiral

lhaeger;2494233 wrote:
kuronen wrote:

> This does the trick:
>
>
> Code:
> --------------------
>
> java.lang.System.setProperty("javax.net.ssl.trustStore", path);
>
> --------------------
>
>
> I was setting env to an instance I never used. Thanks for your help and
> insights.


Just be aware that this sets the truststore for all ECMA running on any driver.
We've had a situation where a different ldapsearch configs were used by two
drivers and one of them always failed with cert issues. Until we found out that
the driver started first wins and only it's truststore is used by all drivers
until you restart edirectory (when again the first driver starting wins). After
alwe set a system property and not anything limited to the ECMA instance or
driver only. That's also why you need to bounce edir to activate changed to the
truststore and a driver restart is not enough, I guess.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)


Very good point, thanks. I was exploring the option but decided to add the certificates to the IDM keystore.

Doing ldap search with SSL seems more straightforward with InitialDirContext and can recommend it.
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.