We Keep Coding

How to download SSL certificate from a LDAP Server using java ? and establish SSL connection using LDAPS?

I am trying to write a program for connecting LDAP server using java code..
Connection Type - SSL
I am getting SSLHandshakeException which says I will have to use 'server certificate' to establish ssl connection -
javax.naming.CommunicationException: :636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Could anyone please suggest how to download SSL certificate from the server using java code and then use that certificate while connecting to LDAP ?
Here are the solutions i have tried, but i did not work -
How to read a Certificate attribute (caCertificate) from LDAP server (Java)?
How to make a call, via Java, with ssl and certificate to an ldap (AD)?
NOTE - I cannot override functionality of certificate verification/validation using custom socket factory

Getting "PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed" error on WEBLOGIC

After applying the latest Windows Updates I'm getting an:
Error 500--Internal Server Error
trying to access my URL using HTTP (not HTTPS!) protocol.
Looking in Weblogic logs, I found this error:
ServletContext#199346236[app:analytics module:analytics path:/analytics spec-version:2.5 version:11.1.1]] Root cause of ServletException.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
How can I solve this issue?
I don't know where I can find this expired certificate and if this is the real problem because I'm not using an HTTPS protocol trying to access my site.

You will have to find the location of your certificates first or your certificates are located in your keystore. If so, you can display content of your keystore and check which certificates you have.
Do you use Weblogic in combination with OSB? If yes, then the keystore is propably configured in your Enterprise Manager. If not, then your keystore is configured on Weblogic level which can be found at servers -> keystores tab
I don't know if this is the solution but let's try it out.

LDAP over TLS with Spring framework

We developed a Java application to integrate LDAP users using Spring.
It works when the application connects the LDAP server on LDAP(ldap://openldap:389).
I am facing a problem when connecting the LDAP server over TLS(ldaps://openldap:636).
Environment:
TurnKey Open Ldap server VM is installed
A new self-signed certificate is generated. It is used at both the java app and LDAP server
Exception:
Caused by: org.springframework.ldap.CommunicationException: simple bind failed: openldap:636; nested exception is javax.naming.CommunicationException: simple bind failed: openldap:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching openldap found]
The following exception is thrown when a built-in certificate bundled in Turnkey Open Ldap VM is used at java app
org.springframework.ldap.CommunicationException: simple bind failed: openldap:636; nested exception is javax.naming.CommunicationException: simple bind failed: openldap:636 [Root exception is java.net.SocketException: Connection or outbound has closed]

This is root certificate issue. I imported wrong CA certificate into cacerts.
Root cause is we looked wrong location for certificate configuration in TurnKey open ldap.
The certificates found in /etc/ldap/tls, but we looked wrongly at /etc/ssl/private
It works after importing ca_cert.pem from /etc/ldap/tls into cacerts at client side.

SSL Certificate chaining error in WAS happened intermittenly

I'm facing a certificate chaining error in a Websphere application server. After installing the certificate, it is working for first request and getting Certificate chaining error for the subsequent request.
Please find the log file
javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException:
com.ibm.jsse2.util.h: PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl
could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued
by EMAILADDRESS=*.#.com, CN=****, OU=****, O=****, ST=****, C=
is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining
error

There can be multiple reasons behind this error. You can enable WAS SSL logs and check the trace logs or share here.
PS: It has been observed that WAS serves few incoming requests immediately after installing certificate. Experienced the same issue and the reason was installed wrong sequence of chain certificate at host side.

How can resolve CertPathValidatorException

Below error message throwing when sent the API request. We have already configured the valid SSL Certificate of this domain, even no error message showing when open the browser.
SSL Cert provider: komodo
Caused by: java.security.cert.CertPathValidatorException: CA key usage
check failed: keyCertSign bit is not set
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)
How can i resolve this problem ?

You need to add the certification to environment.Below link will helpful if you deploy the your application in weblogic server.
http://docs.oracle.com/cd/E13214_01/wli/docs70/b2bsecur/keystore.htm