Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 14 Oracle Analytics Lounge
- 213 Oracle Analytics News
- 42 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 78 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
LDAP connection for authentication
Hello Experts,
I am trying to connect to connect to do the LDAP authentication for new environment.
Environment - OBI12c
Cluster - NO
EM roles - Imported via .bar file
Created a new provider and done the same configuration similar to dev, but whenever I am trying to save and connect, its through me an error:-
Security:090834]No LDAP connection could be established. ldaps://<servername/IP>:636 Cannot connect to the LDAP server
after googling learnt that some ldap certificates need to be also configured in keystore and cacerts.
I have also got the command to import certificates:-
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -alias <alias> -file <root CA file> -storepass <password> -noprompt
I am confused what is -alias<alias> name here ?
How should I get it.
I have already got the CAcert for ldap server.
Thanks for all your response.
Abhi
Answers
-
Can't speak to the SSL-enabled portion of your issue; we've never been able to get SSL-enabled LDAP to work.
As for the alias, it's just a way of identifying or tagging your certificate. That said, I think the format for importing a trusted CA cert should be:
keytool -importcert -v -noprompt -trustcacerts -alias <alias> -file <root CA file> -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass <password>
0 -
Thank you for your response Geoff.
command is correct, even i got the same command while googling it.
keytool -importcert -v -noprompt -trustcacerts -alias <alias> -file <root CA file> -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass <password>
It will be great if you can let me know what -alias<alias> and how can we find it.
I have the cacerts that need to be imported then can we grep somehow the alias name or is it a generic name which we can give while importing.
Kindly guide.
Thanks for all your help.
Regards,
Abhi
0 -
Abhi, the alias can be whatever you want it to be; you can call it Fred if you want to.
In our organization we have a root CA and two intermediate CAs. I simply called them NSSRoot, NSSInt, NSSSub. I gave my server certificate the alias of... wait for it - server_cert.
If I want to see all of my certs contained in cacerts or some other keystore, e.g. MyIdentity.jks or TrustStore.jks, I simply use keytool to list the contents to a text file and grep that.
$ keytool -list -v -keystore cacerts -storepass <password> > contents.txt
$ cat contents.txt | grep NSS
0 -
Hello Geoff,
I tried below command to import the certificate and got this error.
Command executed:-
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -alias ldapubalias -file /u01/app/obiee/share/aldaps_new.p7b -storepass changeit -noprompt
Error received:-
Keytool error: java.lang.Exception: Input not an X.509 certificate
Now someone told me to import certificate aldaps.group.com.pem; but what I believe that .pem extension certificates need some different approach.
Thanks you for all your guidance till now.
Regards,
Abhi
0 -
Keytool only understands certain type of files that it can import, namely its native DER format, or the commonly used PEM format which is a base64 encoded text file. A .p7b is not supported by keytool. You can either re-export your certificate as a .pem instead of a .p7b or use openssl to convert it as follows:
openssl pkcs7 -print_certs -in aldaps_new.p7b -out aldaps_new.pem
0 -
Hello Handat,
Thank you for your response, so I have already the got the certificate in .pem format so the command to import these certificates will be as below:-
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -alias upmldapss -file /u01/app/obiee/share/aaldaps_new.pem -storepass changeit –noprompt
Kindly correct me if I am wrong.
Thanks a lot for your help.
Abhi
0 -
The command does not change, it will be the same. Just make sure you import all the PEM files that are part of the chain or put them all together in a single PEM file.
0 -
Hello Handat,
I was able to import the certificates and configure it.
I can also see the user and groups now.
But unfortunately none of ldap user is able to login into the OBI environment.
I am getting below error in b1_server log:-
<Warning> <Security> <cargbitest> <bi_server1> <ConnSetupMgr> <<anonymous>> <> <2d4e3d78-47dc-4ecd-bc91-75e9a413245-00000002> <1527231117054> <[severity-value: 16] [rid: 0:81] [partition-id: 0] [partition-name: DOMAIN] > <BEA-090504> <Certificate chain received from 121.162.31.41 - 121.162.31.41 failed hostname verification check. Certificate contained C00CER100.inds-domain.net but check expected 121.162.31.41>
I have also tried to go bi_server1 in console and SSL > Advance > Host Verification :None.
Just wondering what I am missing now.
Thanks for a lot your guidance.
Regards,
Abhi
0