issues with the SSL configuration with Microsoft active directory

Hello,

I had a working configuration of crowd + ms active directory including the SSL, but something went wrong and now i get the following message when testing the connection to active directory from crowd: "Test failed
There was a problem communicating with the LDAP server: com.atlassian.crowd.exception.OperationFailedException: WIN-VF8Q99PRP29.corp.exida.pl:636; nested exception is javax.naming.CommunicationException: WIN-VF8Q99PRP29.corp.exida.pl:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]'

 

I followed the atlassian guidelines several times, I spent 1 day trying to fix it, but without success. I have a self-signed certificate and then it is loaded with keytool to cacerts, according to the guidelines.

Now  I switched back to the port 389 and no ssl, but the issue is that the users cannot edit passwords (although they can log e.g. on jira and their credentials are recognized).

 

Regards

Piotr

 

 

7 answers

This widget could not be displayed.
Ann Worley Atlassian Team Aug 03, 2017

Hi Piotr,

I understand you are getting SSL handshake errors connecting Crowd to AD. 

The self signed certificate from Crowd has to be trusted by the AD system and the certificate from AD has to be trusted by the Crowd Java.

I understand you have been checking out our docs but I wanted to link this guide just in case you hadn't seen it: Configuring an SSL Certificate for Microsoft Active Directory

Please give the guide a try; I look forward to hearing the results.

Thanks,

Ann

HI Ann,

I followed dthat document, so I have a self-signed certificate from AD, then I exported it with certutil and then imported it to jdk and to jre cacerts using keytool - according to the guidelines. I tried several times in different ways, but I always get the same problem.

I see that the url that I configure in crowd is ldap://WIN-VF8Q99PRP29.corp.exida.pl:636/ - this is really the correct one and I can connect to it (but I get ssl error), I can also connect without SSL with the port 389. 

However, the self-signed certificate is called WIN-VF8Q99PRP29-CA-2:

CN = corp-WIN-VF8Q99PRP29-CA-2
DC = corp
DC = exida
DC = pl

 

If I provide ldap://WIN-VF8Q99PRP29-CA-2.corp.exida.pl:636/ then I get "unkown host" exception. 

Ann Worley Atlassian Team Aug 04, 2017

I understand the certificate must match the name being used to connect, as mentioned in: Is it neccessary that website certificate must have site URL?

Is it possible that the Java you are importing the cert into is not the same one Crowd is using? The System Info page doesn't have the path to Java, but later versions of Crowd include the support zip feature, in the Admin console under Sypport Tools. If you generate a support zip and check the JAVA_HOME entry in the application.xml file you can make sure you are using the right cacerts file.

If -Djavax.net.ssl.trustStore is in your system ptroperties, it will override the location of the default truststore, so we should check for that as well.

Hi Ann, 

 

I have:

<JAVA_HOME>C:\Program Files\Java\jdk1.8.0_45</JAVA_HOME>

and 

<java.home>C:\Program Files\Java\jdk1.8.0_45\jre</java.home>

 

I don't have Djavax.net.ssl.trustStore set anywhere.

 

I think that maybe the certificate name generated by windows active directory does not fit, server name is corp-WIN-VF8Q99PRP29, certificate is corp-WIN-VF8Q99PRP29-CA-2, but there is no way to change it. I wanted to load another private key and a certificate generated by a certifier agency, but active directory fails to load a custom private key.

This widget could not be displayed.

HI Ann, 

 

When I import the AD certificate, I see the following. My problem is -CA-2 suffix, which I cannot get rid of.

 

 

C:\Program Files\Java\jdk1.8.0_45\bin>keytool.exe -import -keystore ..\jre\lib\security\cacerts -file C:\Users\Administrator\Documents\security\client.crt
Enter keystore password:
Owner: CN=corp-WIN-VF8Q99PRP29-CA-2, DC=corp, DC=exida, DC=pl
Issuer: CN=corp-WIN-VF8Q99PRP29-CA-2, DC=corp, DC=exida, DC=pl
Serial number: 184604c82d1398a54b1ad0ffe01e9b19
Valid from: Wed Aug 02 20:31:14 CEST 2017 until: Tue Aug 02 20:41:14 CEST 2022
Certificate fingerprints:
MD5: A7:98:DC:32:61:12:DF:1E:97:23:C9:00:19:25:4D:DB
SHA1: FC:6B:4C:E3:4C:0F:0D:31:67:89:E1:B3:CE:91:64:D4:7B:C0:6C:0A
SHA256: A4:49:C4:7D:73:9B:37:63:74:5D:23:32:A6:5C:53:E6:9F:0D:96:A8:06:16:D2:D2:72:77:7E:29:46:DE:22:40
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 04 00 43 00 41 ...C.A


#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 ...


#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CF 79 FB 1E FE 82 41 4E 48 29 FA E6 B1 7F CF 05 .y....ANH)......
0010: 36 29 24 9E 6)$.
]
]

This widget could not be displayed.

Hi Ann, 

I have spent another two hours trying to fix it. 

I reinstalled the active directory. I followed the files you referred. I see that the screenshots that you show do use -CA suffix for the cn name, so I have correctly now Owner: CN=corp-WIN-VF8Q99PRP29-CA, DC=corp, DC=exida, DC=pl

I have a correct keystore (with the password changeit - by the way, how does crowd know what this password is?) stored in C:\Program Files\Java\jdk1.8.0_45\jre\lib\security\cacerts and my JAVA_HOME is C:\Program Files\Java\jdk1.8.0_45.

 

I still have the same problem. Could you please help?

Hi Piotr - I am reviewing your updates and will have a more meaningful comment shortly. Just wanted to reply briefly to let you know I am still here. ~Ann

This widget could not be displayed.
Ann Worley Atlassian Team Aug 17, 2017

Crowd does not need the cacerts keystore password because Crowd does not edit the file.

I suspect you are also running Crowd over SSL and that the AD server does not trust Crowd's certificate. From this MS doc

The client must be using a certificate from a CA that the LDAP server trusts.

That same doc shows how to import a cert in AD, if you are running Crowd over SSL, please import Crowd's certificate into AD so the trust will go both ways. If not, please let me know so I can look for another answer.

This widget could not be displayed.

OK, perfect! it worked. I imported my exida.pl certificate, as well as CA self-signed certificate and the ca certificate for the URL orp-WIN-VF8Q99PRP29.corp.exida.pl. Then it worked, I can now change AD passwords through crowd. 

 

However, I have another (small) problem: after crowd update, I am not able to run as service. The log shows:

 

[2017-08-18 10:15:05] [info] [ 9800] Commons Daemon procrun (1.0.15.0 32-bit) started
[2017-08-18 10:15:05] [info] [ 9800] Running 'Crowd' Service...
[2017-08-18 10:15:05] [info] [11228] Starting service...
[2017-08-18 10:15:05] [error] [11228] %1 is not a valid Win32 application.
[2017-08-18 10:15:05] [error] [11228] Failed creating java C:\Program Files\Java\jdk1.8.0_45\jre\bin\server\jvm.dll
[2017-08-18 10:15:05] [error] [11228] %1 is not a valid Win32 application.
[2017-08-18 10:15:05] [error] [11228] ServiceStart returned 1
[2017-08-18 10:15:05] [error] [11228] %1 is not a valid Win32 application.
[2017-08-18 10:15:05] [info] [ 9800] Run service finished.
[2017-08-18 10:15:05] [info] [ 9800] Commons Daemon procrun finished

 

Maybe it is due to space in Program Files. Is it possible to edit one of the crowd .bat files in order to avoid java reinstallation, as I have several other atlassian/java products?

 

This happens when I start the service through the console, or if I run  

C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\tomcat7.exe //RS//Crowd

 

My java configuration is as follows:

 

C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin>service.bat install Crowd
Installing the service 'Crowd' ...
Using CATALINA_HOME: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat"
Using CATALINA_BASE: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat"
Using JAVA_HOME: "C:\Program Files\Java\jdk1.8.0_45"
Using JRE_HOME: "C:\Program Files\Java\jdk1.8.0_45\jre"
Using JVM: "C:\Program Files\Java\jdk1.8.0_45\jre\bin\server\jvm.dll"
The service 'Crowd' has been installed.

This widget could not be displayed.

.. as a follow-up of my previous question - if I run configtest, I get

 

 

C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin>configtest
JAVA_HOME "C:\Program Files\Java\jdk1.8.0_45" contains spaces. Please change to a location without spaces if this causes problems.
Using CATALINA_BASE: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat"
Using CATALINA_HOME: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat"
Using CATALINA_TMPDIR: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\temp"
Using JRE_HOME: "C:\Program Files\Java\jdk1.8.0_45"
Using CLASSPATH: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\bootstrap.jar;C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\tomcat-juli.jar"

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512m; support was removed in 8.0
sie 18, 2017 10:21:01 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property.
sie 18, 2017 10:21:01 AM org.apache.catalina.core.AprLifecycleListener init
WARNING: The APR based Apache Tomcat Native library failed to load. The error reported was [C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\tcnative-1.dll:
Can't load IA 32-bit .dll on a AMD 64-bit platform]
java.lang.UnsatisfiedLinkError: C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\tcnative-1.dll: Can't load IA 32-bit .dll on a AMD 64-bit platform
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1937)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1855)
at java.lang.Runtime.loadLibrary0(Runtime.java:870)
at java.lang.System.loadLibrary(System.java:1122)
at org.apache.tomcat.jni.Library.<init>(Library.java:42)
at org.apache.tomcat.jni.Library.initialize(Library.java:178)
at org.apache.catalina.core.AprLifecycleListener.init(AprLifecycleListener.java:201)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:131)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:394)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)

sie 18, 2017 10:21:01 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8095"]
sie 18, 2017 10:21:01 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-3443"]
sie 18, 2017 10:21:02 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1330 ms
C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin>

This widget could not be displayed.

OK, i found the solution:

 

Run catalina.bat version
Go to http://tomcat.apache.org/
Download the package '64-bit Windows zip';
Open the zip file and navigate to the 'bin' subdirectory and locate the two files 'tomcat7.exe' and 'tomcat7w.exe';
Copy these two files, replacing the old files in <crowd>\apache-tomcat\bin

 

Thanks, my problems are solved.

Regards

Piotr

Ann Worley Atlassian Team Aug 18, 2017

Wow! That's great news. Thanks for sharing the resolution with the Community.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Feb 27, 2018 in Crowd

The Crowd team is looking for feedback on Server & Data Center customers' identity strategies!

Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...

1,456 views 6 14
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you