Adobe Experience Manager Sites & More

nchandra · 8:36:57 AM

We are setting up LDAP over SSL in the AEM 6.3 environment , imported all the required certs in the Java VM cacerts. we are getting below exception

06.06.2018 11:20:22.524 *ERROR* [qtp1318568182-277189] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider Error while connecting to the ldap server.

org.apache.directory.ldap.client.api.exception.InvalidConnectionException: SSL handshake failed.

at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4190)

at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1314)

As per the Adobe documentation https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/ldap-config.html , they said it is a known issue see below . What is Netscape comments?

Known issues

If you plan on using LDAP over SSL, make sure the certificates you are using are created without the Netscape comment option. If this option is enabled, authentication will fail with a SSL Handshake error.

Did anyone got this issue? how did you resolved it.

Thanks in Advance.

Thanks,

Chandra

Andrew_Khoury · 9:53:44 AM

Regarding the "Netscape Comment" issue, your certificate shouldn't contain any of the netscape related extensions such as this:

X509v3 extensions:

Netscape Comment:

OpenSSL Generated Certificate

To generate the cert without that included you would need to modify the openssl.cnf file:

1. Comment out all lines like this:

nsComment               = "OpenSSL Generated Certificate"

Just add # before it, e.g.

#nsComment               = "OpenSSL Generated Certificate"

2. Add this line if it doesn't exist:

extendedKeyUsage=serverAuth

You can validate the certificate with this command:

openssl -x509 -text noout -in certificate.crt

元の投稿で解決策を見る

smacdonald2008 · 9:04:27 AM

We have LDAP artilce - but it does not use SSL.

Adobe Experience Manager Help | Configuring Adobe Experience Manager 6.4 to use Apache Directory Ser...

Your message seems to indicate that the cert to connect is not valid.

Anyhow - i am following up with the doc team to see what they meant by this. I agree - this is not clear.

nchandra · 9:14:12 AM

LDAP over HTTP is working us, only on SSL is not working.

Thank you for following up with doc team. Please do let me know if you heard any thing from them.

Thanks,

Chandra

Andrew_Khoury · 9:53:44 AM

Regarding the "Netscape Comment" issue, your certificate shouldn't contain any of the netscape related extensions such as this:

X509v3 extensions:

Netscape Comment:

OpenSSL Generated Certificate

To generate the cert without that included you would need to modify the openssl.cnf file:

1. Comment out all lines like this:

nsComment               = "OpenSSL Generated Certificate"

Just add # before it, e.g.

#nsComment               = "OpenSSL Generated Certificate"

2. Add this line if it doesn't exist:

extendedKeyUsage=serverAuth

You can validate the certificate with this command:

openssl -x509 -text noout -in certificate.crt

Adobe Experience Manager Sites & More

AEM LDAP over SSL InvalidConnectionException: SSL handshake failed

学習

ドキュメント

イベント

コミュニティ

サポート

リソース

Adobe アカウント

Adobe