Use Apache Directory Studio to connect to a Symantec Directory DSA through SSL
search cancel

Use Apache Directory Studio to connect to a Symantec Directory DSA through SSL

book

Article ID: 405119

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

Compare to JXplorer that was originated from CA Technologies and has been since open sourced, Apache Directory Studio is another popular GUI based LDAP Browser.

This article is intended to model what is presented in the 

Use JXPlorer to connect to a Symantec Directory DSA through SSL

to clarify the sometimes confusion LDAPs connectivity.

Note that the LDAPs implementation on the client side is very much client implementation specific. In short, different LDAP clients do exhibit different behaviors. This should not come as a surprise just to think about in this modern days, different Web Browsers do exhibit different behaviors too.

Environment

Release: 14.1
Component: CA Directory

Resolution

Scope of Testing

Originally, we hoped we would be able to deliver some positive results for the following

  • Apache Directory Studio connection to a Symantec Directory DSA using SSL/TLS
  • Apache Directory Studio connection to a Symantect Directory DSA using a Public Key Certificate.

However, with our extended search over Internet and tests conducted thus far, we have concluded that Apache Directory Studio does not seem to support using a Public Key Certificate to connect to a Symantec Dierctory DSA, at least not through the commonly used SASL/External authentication scheme. Hence, we will only share the 

  • Apache Directory Studio connection to a Symantec Directory DSA using SSL/TLS

experiences within this article.

 

Setting Up Testing Environment

To demonstrate the different ways how Apache Directory Studio uses SSL/TLS communication to connect to a Symantect Directory DSA, we need to have a workding Symantec Directory DSA that offers ldaps endpoint. Three out-of-the-box samples that come with a standard Directory Server installation allows us to easily set this up.

Setup the three samples, democorp, unspsc, and ssl

cd /d "%DXHOME%\samples\unspsc"
setup.bat -q
cd ..\democorp
setup.bat -q
cd ..\ssl
setup.bat SHA1 -q

or

cd "$DXHOME/samples/unspsc"
./setup.sh -q
cd ../democorp
./setup.sh -q
cd ../ssl
./setup.sh SHA1 -q

Install JRE and Apache Directory Studio

Download and install a release of JRE of your choice. In this article we used releases from Oracle JRE8, OpenJDK 11 and OpenJDK 17. The different releases of Oracle 8 download are currently located at Java Archive | Oracle. The OpenJDK releases has recently become harder to navigate. For the latest releases, you can download them from Download TemurinĀ® JDK. For release archives, you probably have to start from Adoptium Repositories and struggle on your own.

Download and install the desired version of Apache Directory Studio from Apache Directory Studio Downloads. To install multiple versions of the Apache Directory Studio using the prebuilt binary, you can install one version, copy the whole subdirectory to a different location, run the uninstaller to remove the installed version and then install another version after that. After starting the Apache Directory Studio, you can click on the Help/About Apache Studio to see its version/build:

To identify the version of JRE in use, click on the Installation Details/Configuration, then you will be able to locate entries like the following:

java.home=C:\Program Files\Eclipse Adoptium\jre-11.0.26.4-hotspot
java.io.tmpdir=C:\Users\imsadmin\AppData\Local\Temp\
java.library.path=C:\Program Files\Apache Directory Studio;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Program Files\Eclipse Adoptium\jre-11.0.26.4-hotspot\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\ProgramData\GooGet;C:\Program Files\Google\Compute Engine\metadata_scripts;C:\Program Files\Google\Compute Engine\sysprep;C:\Program Files\PuTTY\;C:\Program Files\CA\Directory\dxserver\bin;C:\Program Files\CA\Directory\dxserver\dxagent\python-embed-amd64;C:\Users\imsadmin\AppData\Local\Microsoft\WindowsApps;.
java.runtime.name=OpenJDK Runtime Environment
java.runtime.version=11.0.26+4
java.specification.maintenance.version=3
java.specification.name=Java Platform API Specification
java.specification.vendor=Oracle Corporation
java.specification.version=11
java.vendor=Eclipse Adoptium
java.vendor.url=https://adoptium.net/
java.vendor.url.bug=https://github.com/adoptium/adoptium-support/issues
java.vendor.version=Temurin-11.0.26+4
java.version=11.0.26
java.version.date=2025-01-21
java.vm.info=mixed mode
java.vm.name=OpenJDK 64-Bit Client VM
java.vm.specification.name=Java Virtual Machine Specification
java.vm.specification.vendor=Oracle Corporation
java.vm.specification.version=11
java.vm.vendor=Eclipse Adoptium
java.vm.version=11.0.26+4
jdk.debug=release

Use Case Testing

Discover the IP address the DSA democorp Uses

netstat -an | findstr 19389

or

netstat -an | grep 19389

An entry similar to the following will appear when the democorp DSA is started correctly.

  TCP    ###.###.###.###:19389    0.0.0.0:0              LISTENING

Start the Apache Directory Studio

On a Windows machine, the installer of Apache Directory Studio 

creates a shortcut to start the Apache Directory Studio by changing the current directory to the Apache Directory Studio subdirectory similar to:

"C:\Program Files\Apache Directory Studio"

and then start the Apache Directory Studio similar to:

"C:\Program Files\Apache Directory Studio\ApacheDirectoryStudio.exe"

The choice of a particular JRE is controlled through the Windows Environmental setting, in particular the PATH variable. For example, running the following from a Windows commannd prompt:

cd /d "C:\Program Files\Apache Directory Studio"
PATH=C:\Program Files\Eclipse Adoptium\jre-11.0.26.4-hotspot\bin;%PATH%
start .\ApacheDirectoryStudio.exe

will start the installed Apache Directory Studio using OpenJDK 11.0.26.4 build. You can start the different version of the Apache Directory Studio by changing directory to where you have it copied to and start it from there.

Test Case 1: Apache Directory Studio SSL+Anonymous Connection

Initial Attempt

  1. Lauch the Apache Directory Studio
  2. Create a New LDAP Connection, provide a connection name
  3. Set the Hostname to the IP address located: ###.###.###.###
  4. Set the Port to 19389
  5. Set the Encryption method to "Use SSL encryption (ldaps://)
  6. Leave the Provider as it is (Apache Directory LDAP Client API)
  7. Click on the Check Network Parameter

will show you a "Certificate Trust" Window where it shows

'###.###.###.###' uses an invalid certificate:

- The issuer certificate is unknown

- The server's host name does not match the certificate's host name

here, you do have the option to click on "View Certificate..." to see the certificate the Symantec Directory DSA presents and then decide to

Don't rust this certificate

Trust this certificate for this session

Always trust this certicate

to choose from, throughout this article, we can simply click the "Trust this certicate for this session" to continue. You will then an Error Windows that states "The connection failed - ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context".

    8. Then click on the "Authentication" tab, set the "Authentication Method" to "No Authentication"
    9. Click on "Apply and Close" to finish setting up this connection. 
   10. Since you chose the "Trust this certificate for this session", before you close this Apache Directory Studio, you can continue to close and re-connect
         this connection, it will always work. However, if you close this Apache Directory Studio session, re-start it, then you will have to decide whether you
         will continue to trust this certificate.

Summary

  1. The choice of "Trust this certificate for this session" will allow the Apache Directory Studio to trust the certificate issuer, ignore the server's host name does not match the certificate's host name warning and allows the Apache Directory Studio to proceed to establish an ldaps connection with a Symantec DSA that supports it.
  2. The choice of "Always trust this certificate" will import and trust the certicate issuer into a storage area, ignore the server's host name does not match the certificate's host name warning and allows the Apache Directory Studio to proceed to establish an ldaps connection with a Symantec DSA that supports it.
  3. The "certificate issuer" storage area can be viewed by navigating through Window/Preferences/Apache Directory Studio/Connections/Certificate Validation, then there are the "Permanent Trusted" and "Temporary Trusted" you can view for each of the two choices above.

Correct "The server's host name does not match the certificate's host name" Error

The following procedures

1. Configure the host-name value in the democorp.dxc under the config/knowledge

2. Allow the name DXserver to resolve into the IP address the democorp is listening at

3. Use dxcertgen to set SAN directly without using the setup under the samples/ssl

4. Use a release of JRE that does not check subject alternate name all

written in the 

Use JXPlorer to connect to a Symantec Directory DSA through SSL

under the Correct "No subject alternative names present" Error section actually allows us to correct "The server's host name does not match the certificate's host name" Error as there are the same issue.

Note that different releases of Apache Director Studio do have differen requirements of JRE versions:

  • JRE 1.7: M12
  • JRE 1.8: M13, M14, M15
  • JRE 11: M16, M17

Test Case 2: Apache Directory Studio SSL + User + Password Connection

After going through the Test Case 1: Apachhe Directory Studio SSL. + Anonyous Connection, we can also set a password for an entry likes "cn=Marco DREW,ou=Information,ou=Corporate,o=DEMOCORP,c=au". The we can proceed with this test case, and it should just work:

  1. Lauch the Apache Directory Studio
  2. Set the Host to the IP address located or the DXserver if host file was modified
  3. Set the Port to 19389
  4. Set the Encryption method to "Use SSL encryption (ldaps://)
  5. Click on the "Authentication" tab, set the "Authentication Method" to "Simple Authentication"
  6. Set the Bind DN or user to cn=Marco DREW,ou=Information,ou=Corporate,o=DEMOCORP,c=au
  7. Click connect, supply the password and click on OK

Epilogue

Since Apache Directory Studio does not yet support the commonly used SASL/External authentication scheme, even though it claims to support other authentication schemes known as DIGEST_MD5 (SASL), CRAM-MD5 (SASL) and GSSPAI (Kerberos), these methods are not applicable to Symantec Directory and hence our study will stop here.

 

 

 

 

 

Powered by Wolken Software