We are still encountering the problem detailed below that was described by
Steve over a year ago.
Is there anyone that can provide some insight on how we can solve this
problem?
What happens is that some of our applications must run 24x7 yet the user
certificates are changed every 90 days (or sooner based on other criteria).
When the certificates are changed while the applications are running we get
the INVALID_CREDENTIALS error.
We were able to solve this problem on C++ using the "ldap_unbind_s();
ldapssl_shutdown();" API calls (ldapssl_shutdown() was provided with the
LDAP C SDK 6.x).
As Steve points out there doesn't seem to be a way to do this with the Java
LDAP SDK.
After looking at the code the problem seems to be with a singleton that is
used as the JSS or libjss.so layer that is keeping the credentials from
being re-read. But a modification to the code would be difficult because
the entire design of JSS is based on this singleton.
How do other applications that run 24x7 deal with the problem with
certificates changing while they are running?
We ar using the latest versions of the Java LDAP SDK and JSS.
Is there any active development being done on the Java LDAP SDK that is
currently as version 4.17 and has been for several years?
Is there any active development being done on JSS and libjss.so?
We need to use the JSSSocketFactor() provided by JSS because we need to use
the same type of certificates between the Java and C++ code.
JSSESocketFactory() provided by Java used PKCS12 or JKS keys.
We have looked at the Java version of OpenLDAP but it appears to be a
wrapper around the JSSESocketFactory.
Thanks for any info you can provide.
david.
> This is sort of a follow-on to Mike's message of last Sept. 12.
> It, and Bug 352673 discussion, led us to be able to have our
> applications handle new certificates being created while the apps are
> running. We detect the INVALID_CREDENTIALS error and call:
> ldap_unbind_s()
> ldapssl_shutdown() (which calls SSL_ClearSessionCache() and
> NSS_Shutdown())
> ...and re-initialize, and everybody's happy - in our C++ world.
> ____________________
>
> Now we need to accomplish the same thing in our Java apps, but
.can't seem to make them let go of and re-fetch certificates.
> We connect with:
> jsf = new JSSSocketFactory(certDir)
> conn = new LDAPConnection(jsf)
> conn.connect()
> conn.authenticate(), using EXTERNAL mechanism
> After re-creating certificates while running, on the
> INVALID_CREDENTIALS error, we call:
> connection.disconnect()
> (which calls LDAPConnThread::deregister() and thus
> sendUnbindRequest() )
> SSLServerSocket.clearSessionCache()
> ...and re-initialize as in the beginning.
> But, we continue to get INVALID_CREDENTIALS errors.
> I'm guessing we're not cleaning up enough before re-initializing,
> but don't know what else to try (e.g. can't find a Java handle to an
> NSS_Shutdown() call, as in C)
> Thanks for any help.
> Steve
=====================
David Hinz
720-858-4334
S75 / A1715H
Steve over a year ago.
Is there anyone that can provide some insight on how we can solve this
problem?
What happens is that some of our applications must run 24x7 yet the user
certificates are changed every 90 days (or sooner based on other criteria).
When the certificates are changed while the applications are running we get
the INVALID_CREDENTIALS error.
We were able to solve this problem on C++ using the "ldap_unbind_s();
ldapssl_shutdown();" API calls (ldapssl_shutdown() was provided with the
LDAP C SDK 6.x).
As Steve points out there doesn't seem to be a way to do this with the Java
LDAP SDK.
After looking at the code the problem seems to be with a singleton that is
used as the JSS or libjss.so layer that is keeping the credentials from
being re-read. But a modification to the code would be difficult because
the entire design of JSS is based on this singleton.
How do other applications that run 24x7 deal with the problem with
certificates changing while they are running?
We ar using the latest versions of the Java LDAP SDK and JSS.
Is there any active development being done on the Java LDAP SDK that is
currently as version 4.17 and has been for several years?
Is there any active development being done on JSS and libjss.so?
We need to use the JSSSocketFactor() provided by JSS because we need to use
the same type of certificates between the Java and C++ code.
JSSESocketFactory() provided by Java used PKCS12 or JKS keys.
We have looked at the Java version of OpenLDAP but it appears to be a
wrapper around the JSSESocketFactory.
Thanks for any info you can provide.
david.
> This is sort of a follow-on to Mike's message of last Sept. 12.
> It, and Bug 352673 discussion, led us to be able to have our
> applications handle new certificates being created while the apps are
> running. We detect the INVALID_CREDENTIALS error and call:
> ldap_unbind_s()
> ldapssl_shutdown() (which calls SSL_ClearSessionCache() and
> NSS_Shutdown())
> ...and re-initialize, and everybody's happy - in our C++ world.
> ____________________
>
> Now we need to accomplish the same thing in our Java apps, but
.can't seem to make them let go of and re-fetch certificates.
> We connect with:
> jsf = new JSSSocketFactory(certDir)
> conn = new LDAPConnection(jsf)
> conn.connect()
> conn.authenticate(), using EXTERNAL mechanism
> After re-creating certificates while running, on the
> INVALID_CREDENTIALS error, we call:
> connection.disconnect()
> (which calls LDAPConnThread::deregister() and thus
> sendUnbindRequest() )
> SSLServerSocket.clearSessionCache()
> ...and re-initialize as in the beginning.
> But, we continue to get INVALID_CREDENTIALS errors.
> I'm guessing we're not cleaning up enough before re-initializing,
> but don't know what else to try (e.g. can't find a Java handle to an
> NSS_Shutdown() call, as in C)
> Thanks for any help.
> Steve
=====================
David Hinz
720-858-4334
S75 / A1715H
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
