See below for responses.
David B Hinz wrote, On 2008-09-11 09:13:
>> We are still encountering the problem detailed below that was described
by
>> Steve over a year ago.
>>
>> Is there anyone that can provide some insight on how we can solve this
>> problem?
>>
>> What happens is that some of our applications must run 24x7 yet the user
>> certificates are changed every 90 days (or sooner based on other
criteria).
>> When the certificates are changed while the applications are running we
get
>> the INVALID_CREDENTIALS error.
> David, There are a number of details I'd like you to clarify.
>
> You've got a server and one (or more) client(s), but your description
> doesn't talk about either one specifically, and just says "we" and
> "the applications". So I'm going to ask you to clarify your description,
> and be very clear about whether you're talking about client or server for
> each aspect.
>
> Which one(s) of them must be up 24x7?
The LDAP servers are up 24x7 and are used for the normal Solaris login
authentication and also to authenticate our users with specific
applications before they are allowed to add/delete entries from the LDAP
server.
There are some client applications that once they are started also run
24x7. The applications also have a "username" associated with them and
use certificates to be authenticated. These applications provide
services to the apps that are more transient.
We also have client applications that the users start when they are
using the system that are only active for as long as they are logged in.
The user's apps make connections to the 24x7 applications to exchange
data. Some of that data is stored in LDAP.
> Which one(s) of them use the Java LDAP SDK?
Some of the client applications are written in C++ using the Mozilla
LDAP 6.0.2 C API. Other client applications are written in Java using
Mozilla LDAP JDK 4.17 and JSS 3.4 (we have just upgraded to JSS 4.25).
>
> Which one(s) of them has its certificates changed?
> That is, is it a client certificate being changed?
> Or, is it the server certificate being changed?
> Or both?
The certificates are changed for a user each time their password
expires. For the 24x7 apps this is at least every 90 days, sometimes
sooner if needed. When the password is changed new certificates are
generated. The certs are used by the LDAP server and the the user when
running the transient or the 24x7 applications.
>
> Are your clients using certificate based client authentication?
Yes. Through SASL and EXTERNAL authentication.
>
> Where do these "INVALID_CREDENTIALS" errors appear?
> On the server?
> On the client?
The INVALID_CREDENTIALS error only happens with the client applications.
The C++ and the Java apps have the same problem. We have solved the
problem with the C++ app by calling ldapssl_shutdown() and ldap_unbind()
and the reauthenticating and rebinding. On Java that does not work.
> Is the client rejecting the server's certificate?
> Or is the server rejecting the client's certificate?
In the Java code the JSS (or libjss.so) code is apparently holding on to
the certificates when it first reads them. When the certs are changed
in the /home/user/.ldapcerts/key3.db and /home/user/.ldapcerts/cert7.db
they are not re-read so the user cannot be re-authenticated.
>
> Which certificates are being replaced every 90 days?
> The server's?
> The client's?
> Both?
In some ways both. The users password changes, a new cert is generated
that is then used by the LDAP server and attempted to be used the the
Java applications.
>
> Are these certificates self-signed?
> Or are they issued by a CA (perhaps your own enterprise internal CA)?
> And, if by a CA, are you replacing the CA cert every 90 days?
They are self-signed for internal use only.
>
> Is the problem that you cannot insert the new certificate into the DB of
> the application (client or server) that is sending the certificate to its
> peer?
It doesn't seem to be. I'm aware of the problems with multi-user access
to the DBs that the certs are stored in.
> Or is the problem that the certificate must be inserted into the DB of
> the application that is receiving and verifying the cert, so that it will
> verify the (self-signed) cert it receives?
>
> Finally, if you had the ability to safely insert the new cert into
> the cert DB while the DB was in use, do you know how to get the
> application that uses it to switch to the new cert in the DB?
Probably not. We are only using the ldap and ldapssl APIs. We haven't
used any APIs any deeper than that. I've traced the ldapssl_shutdown()
C API and it does use the NSS API to close the DB. The problem occurs
even if we have a single client application reading the database. Each
user has their own certificates in the .ldapcerts directory. I'm not
positive how the server stores the certs.
Thanks for any help you can provide. I feel like we are making some
progress.
david.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
