kuronen Super Contributor.
Super Contributor.
853 views

Ecmascript ldapsearch with SSL / TLS

Did anyone implement TLS / SSL in their Ecmascript ldapsearch? It does not look very complicated and seems to be doable at least with LDAPJSSEStartTLSFactory.
Labels (1)
0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: Ecmascript ldapsearch with SSL / TLS

kuronen wrote:

>
> Did anyone implement TLS / SSL in their Ecmascript ldapsearch? It does
> not look very complicated and seems to be doable at least with
> LDAPJSSEStartTLSFactory.


I have a packaged version available in my publich repo at
https://www.brummelhook.com/download/idm/ (part of "BitsNdPieces"
v1.0.9.20160407105251) and I believe one of the standard packages from NetIQ
now supports TLS, too. Sorry, I forget it's exact name, part of the AJC-ECMA
package, maybe?
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
kuronen Super Contributor.
Super Contributor.

Re: Ecmascript ldapsearch with SSL / TLS

You've got it in java class but I kinda hoped to do it with ecmascript. Did not see any ldap functions in the latest 4.7.2 advanced java class code. Did I miss something?

But thanks for sharing. May grab it after all.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Ecmascript ldapsearch with SSL / TLS

kuronen wrote:

> You've got it in java class but I kinda hoped to do it with ecmascript.


Nope, it's an ECMA resource in a library. Add
https://www.brummelhook.com/download/idm/ as an Online-Repo to Designer, then
run Help - Check for Package Updates....

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Ecmascript ldapsearch with SSL / TLS

Lothar Haeger wrote:

> Add https://www.brummelhook.com/download/idm/ as an Online-Repo to Designer


Well, https://www.brummelhook.com/download/idm/packages/ would be the correct
URL...
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
kuronen Super Contributor.
Super Contributor.

Re: Ecmascript ldapsearch with SSL / TLS

Still experimenting here.. and it looks like using InitialDirContext makes LDAP a breeze as I got it calling server LDAP in minutes but I am stuck in one problem. It seems that I cannot get keystore data to the java ldap operations with:


var props = new java.util.Properties(System.getProperties());
props.setProperty("javax.net.ssl.trustStore", "/tmp/cacerts");
props.setProperty("javax.net.ssl.trustStorePassword","xxx");
props.setProperty("javax.net.ssl.keyStore", "/tmp/cacerts");
props.setProperty("javax.net.ssl.keyStorePassword","xxx");


Is that the right way to set java System.properties in Ecmascript? I tried outputting System.getProperties after setting the above:


return System.getProperty("javax.net.ssl.keyStore");


But got null. I probably can just set the values in the init files and use the already included keystore but that left me wondering.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Ecmascript ldapsearch with SSL / TLS

kuronen wrote:

> It seems that I cannot get keystore data to the
> java ldap operations with:


You need to restart Edirectory for the ECMA to pick up changes to the keystore,
unfortunately.

> Is that the right way to set java System.properties in Ecmascript?


It's one way to do it and it works. 🙂 I'm pretty sure it's possible to
implement without setting the system keystore, but I've never come around to
implement it. If you can make it happen, please share your code!
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: Ecmascript ldapsearch with SSL / TLS

On 23.01.19 16:11, Lothar Haeger wrote:
> kuronen wrote:
>
>> It seems that I cannot get keystore data to the
>> java ldap operations with:

>
> You need to restart Edirectory for the ECMA to pick up changes to the keystore,
> unfortunately.
>
>> Is that the right way to set java System.properties in Ecmascript?

>
> It's one way to do it and it works. 🙂 I'm pretty sure it's possible to
> implement without setting the system keystore, but I've never come around to
> implement it. If you can make it happen, please share your code!
>


You might get around the system cacert by using SSL instead of TLS.

This is what I do with Java:

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.ssl.trustStore", keystorePath);
System.setProperty("javax.net.ssl.trustStorePassword",keystorePassword);
ssf = new LDAPJSSESecureSocketFactory();
LDAPConnection.setSocketFactory(ssf);

I am not sure about the addProvider, as I've been using this for years.


But I do not have to import anything into my system cacerts file.



Casper
0 Likes
Knowledge Partner
Knowledge Partner

Re: Ecmascript ldapsearch with SSL / TLS

On 1/23/2019 8:04 AM, kuronen wrote:
>
> You've got it in java class but I kinda hoped to do it with ecmascript.


Well, it is ECMA calling Java. 🙂 I am not sure you will see a pure
ECMA implementation. But if you do, please report back.

> Did not see any ldap functions in the latest 4.7.2 advanced java class
> code. Did I miss something?


IT is callled LDAP Common.
Package Catalog
Common
ECMAScript
NOVLLIBLDP

> But thanks for sharing. May grab it after all.
>
>


0 Likes
kuronen Super Contributor.
Super Contributor.

Re: Ecmascript ldapsearch with SSL / TLS

This does the trick:


java.lang.System.setProperty("javax.net.ssl.trustStore", path);


I was setting env to an instance I never used. Thanks for your help and insights.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Ecmascript ldapsearch with SSL / TLS

kuronen wrote:

> This does the trick:
>
>
> Code:
> --------------------
>
> java.lang.System.setProperty("javax.net.ssl.trustStore", path);
>
> --------------------
>
>
> I was setting env to an instance I never used. Thanks for your help and
> insights.


Just be aware that this sets the truststore for all ECMA running on any driver.
We've had a situation where a different ldapsearch configs were used by two
drivers and one of them always failed with cert issues. Until we found out that
the driver started first wins and only it's truststore is used by all drivers
until you restart edirectory (when again the first driver starting wins). After
alwe set a system property and not anything limited to the ECMA instance or
driver only. That's also why you need to bounce edir to activate changed to the
truststore and a driver restart is not enough, I guess.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
kuronen Super Contributor.
Super Contributor.

Re: Ecmascript ldapsearch with SSL / TLS

lhaeger;2494233 wrote:
kuronen wrote:

> This does the trick:
>
>
> Code:
> --------------------
>
> java.lang.System.setProperty("javax.net.ssl.trustStore", path);
>
> --------------------
>
>
> I was setting env to an instance I never used. Thanks for your help and
> insights.


Just be aware that this sets the truststore for all ECMA running on any driver.
We've had a situation where a different ldapsearch configs were used by two
drivers and one of them always failed with cert issues. Until we found out that
the driver started first wins and only it's truststore is used by all drivers
until you restart edirectory (when again the first driver starting wins). After
alwe set a system property and not anything limited to the ECMA instance or
driver only. That's also why you need to bounce edir to activate changed to the
truststore and a driver restart is not enough, I guess.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)


Very good point, thanks. I was exploring the option but decided to add the certificates to the IDM keystore.

Doing ldap search with SSL seems more straightforward with InitialDirContext and can recommend it.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.