Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

issues with the SSL configuration with Microsoft active directory

Piotr_Serwa
Piotr_Serwa August 3, 2017

Hello,

I had a working configuration of crowd + ms active directory including the SSL, but something went wrong and now i get the following message when testing the connection to active directory from crowd: "Test failed
There was a problem communicating with the LDAP server: com.atlassian.crowd.exception.OperationFailedException: WIN-VF8Q99PRP29.corp.exida.pl:636; nested exception is javax.naming.CommunicationException: WIN-VF8Q99PRP29.corp.exida.pl:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]'

 

I followed the atlassian guidelines several times, I spent 1 day trying to fix it, but without success. I have a self-signed certificate and then it is loaded with keytool to cacerts, according to the guidelines.

Now  I switched back to the port 389 and no ssl, but the issue is that the users cannot edit passwords (although they can log e.g. on jira and their credentials are recognized).

 

Regards

Piotr

 

 

Answer
Watch
Like Be the first to like this
1268 views

7 answers

0 votes
Piotr_Serwa
Piotr_Serwa August 18, 2017

OK, i found the solution:

 

Run catalina.bat version
Go to http://tomcat.apache.org/
Download the package '64-bit Windows zip';
Open the zip file and navigate to the 'bin' subdirectory and locate the two files 'tomcat7.exe' and 'tomcat7w.exe';
Copy these two files, replacing the old files in <crowd>\apache-tomcat\bin

 

Thanks, my problems are solved.

Regards

Piotr

View More Comments
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 18, 2017

Wow! That's great news. Thanks for sharing the resolution with the Community.

Like
Reply
0 votes
Piotr_Serwa
Piotr_Serwa August 18, 2017

.. as a follow-up of my previous question - if I run configtest, I get

 

 

C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin>configtest
JAVA_HOME "C:\Program Files\Java\jdk1.8.0_45" contains spaces. Please change to a location without spaces if this causes problems.
Using CATALINA_BASE: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat"
Using CATALINA_HOME: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat"
Using CATALINA_TMPDIR: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\temp"
Using JRE_HOME: "C:\Program Files\Java\jdk1.8.0_45"
Using CLASSPATH: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\bootstrap.jar;C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\tomcat-juli.jar"

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512m; support was removed in 8.0
sie 18, 2017 10:21:01 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property.
sie 18, 2017 10:21:01 AM org.apache.catalina.core.AprLifecycleListener init
WARNING: The APR based Apache Tomcat Native library failed to load. The error reported was [C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\tcnative-1.dll:
Can't load IA 32-bit .dll on a AMD 64-bit platform]
java.lang.UnsatisfiedLinkError: C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\tcnative-1.dll: Can't load IA 32-bit .dll on a AMD 64-bit platform
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1937)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1855)
at java.lang.Runtime.loadLibrary0(Runtime.java:870)
at java.lang.System.loadLibrary(System.java:1122)
at org.apache.tomcat.jni.Library.<init>(Library.java:42)
at org.apache.tomcat.jni.Library.initialize(Library.java:178)
at org.apache.catalina.core.AprLifecycleListener.init(AprLifecycleListener.java:201)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:131)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:394)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)

sie 18, 2017 10:21:01 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8095"]
sie 18, 2017 10:21:01 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-3443"]
sie 18, 2017 10:21:02 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1330 ms
C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin>

Reply
0 votes
Piotr_Serwa
Piotr_Serwa August 18, 2017

OK, perfect! it worked. I imported my exida.pl certificate, as well as CA self-signed certificate and the ca certificate for the URL orp-WIN-VF8Q99PRP29.corp.exida.pl. Then it worked, I can now change AD passwords through crowd. 

 

However, I have another (small) problem: after crowd update, I am not able to run as service. The log shows:

 

[2017-08-18 10:15:05] [info] [ 9800] Commons Daemon procrun (1.0.15.0 32-bit) started
[2017-08-18 10:15:05] [info] [ 9800] Running 'Crowd' Service...
[2017-08-18 10:15:05] [info] [11228] Starting service...
[2017-08-18 10:15:05] [error] [11228] %1 is not a valid Win32 application.
[2017-08-18 10:15:05] [error] [11228] Failed creating java C:\Program Files\Java\jdk1.8.0_45\jre\bin\server\jvm.dll
[2017-08-18 10:15:05] [error] [11228] %1 is not a valid Win32 application.
[2017-08-18 10:15:05] [error] [11228] ServiceStart returned 1
[2017-08-18 10:15:05] [error] [11228] %1 is not a valid Win32 application.
[2017-08-18 10:15:05] [info] [ 9800] Run service finished.
[2017-08-18 10:15:05] [info] [ 9800] Commons Daemon procrun finished

 

Maybe it is due to space in Program Files. Is it possible to edit one of the crowd .bat files in order to avoid java reinstallation, as I have several other atlassian/java products?

 

This happens when I start the service through the console, or if I run  

C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin\tomcat7.exe //RS//Crowd

 

My java configuration is as follows:

 

C:\Programs\atlassian-crowd-2.12.0\apache-tomcat\bin>service.bat install Crowd
Installing the service 'Crowd' ...
Using CATALINA_HOME: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat"
Using CATALINA_BASE: "C:\Programs\atlassian-crowd-2.12.0\apache-tomcat"
Using JAVA_HOME: "C:\Program Files\Java\jdk1.8.0_45"
Using JRE_HOME: "C:\Program Files\Java\jdk1.8.0_45\jre"
Using JVM: "C:\Program Files\Java\jdk1.8.0_45\jre\bin\server\jvm.dll"
The service 'Crowd' has been installed.

Reply
0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 17, 2017

Crowd does not need the cacerts keystore password because Crowd does not edit the file.

I suspect you are also running Crowd over SSL and that the AD server does not trust Crowd's certificate. From this MS doc

The client must be using a certificate from a CA that the LDAP server trusts.

That same doc shows how to import a cert in AD, if you are running Crowd over SSL, please import Crowd's certificate into AD so the trust will go both ways. If not, please let me know so I can look for another answer.

Reply
0 votes
Piotr_Serwa
Piotr_Serwa August 17, 2017

Hi Ann, 

I have spent another two hours trying to fix it. 

I reinstalled the active directory. I followed the files you referred. I see that the screenshots that you show do use -CA suffix for the cn name, so I have correctly now Owner: CN=corp-WIN-VF8Q99PRP29-CA, DC=corp, DC=exida, DC=pl

I have a correct keystore (with the password changeit - by the way, how does crowd know what this password is?) stored in C:\Program Files\Java\jdk1.8.0_45\jre\lib\security\cacerts and my JAVA_HOME is C:\Program Files\Java\jdk1.8.0_45.

 

I still have the same problem. Could you please help?

View More Comments
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 17, 2017

Hi Piotr - I am reviewing your updates and will have a more meaningful comment shortly. Just wanted to reply briefly to let you know I am still here. ~Ann

Like
Reply
0 votes
Piotr_Serwa
Piotr_Serwa August 17, 2017

HI Ann, 

 

When I import the AD certificate, I see the following. My problem is -CA-2 suffix, which I cannot get rid of.

 

 

C:\Program Files\Java\jdk1.8.0_45\bin>keytool.exe -import -keystore ..\jre\lib\security\cacerts -file C:\Users\Administrator\Documents\security\client.crt
Enter keystore password:
Owner: CN=corp-WIN-VF8Q99PRP29-CA-2, DC=corp, DC=exida, DC=pl
Issuer: CN=corp-WIN-VF8Q99PRP29-CA-2, DC=corp, DC=exida, DC=pl
Serial number: 184604c82d1398a54b1ad0ffe01e9b19
Valid from: Wed Aug 02 20:31:14 CEST 2017 until: Tue Aug 02 20:41:14 CEST 2022
Certificate fingerprints:
MD5: A7:98:DC:32:61:12:DF:1E:97:23:C9:00:19:25:4D:DB
SHA1: FC:6B:4C:E3:4C:0F:0D:31:67:89:E1:B3:CE:91:64:D4:7B:C0:6C:0A
SHA256: A4:49:C4:7D:73:9B:37:63:74:5D:23:32:A6:5C:53:E6:9F:0D:96:A8:06:16:D2:D2:72:77:7E:29:46:DE:22:40
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 04 00 43 00 41 ...C.A


#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 ...


#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CF 79 FB 1E FE 82 41 4E 48 29 FA E6 B1 7F CF 05 .y....ANH)......
0010: 36 29 24 9E 6)$.
]
]

Reply
0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 3, 2017

Hi Piotr,

I understand you are getting SSL handshake errors connecting Crowd to AD. 

The self signed certificate from Crowd has to be trusted by the AD system and the certificate from AD has to be trusted by the Crowd Java.

I understand you have been checking out our docs but I wanted to link this guide just in case you hadn't seen it: Configuring an SSL Certificate for Microsoft Active Directory

Please give the guide a try; I look forward to hearing the results.

Thanks,

Ann

View More Comments
Piotr_Serwa
Piotr_Serwa August 4, 2017

HI Ann,

I followed dthat document, so I have a self-signed certificate from AD, then I exported it with certutil and then imported it to jdk and to jre cacerts using keytool - according to the guidelines. I tried several times in different ways, but I always get the same problem.

Like
Piotr_Serwa
Piotr_Serwa August 4, 2017

I see that the url that I configure in crowd is ldap://WIN-VF8Q99PRP29.corp.exida.pl:636/ - this is really the correct one and I can connect to it (but I get ssl error), I can also connect without SSL with the port 389. 

However, the self-signed certificate is called WIN-VF8Q99PRP29-CA-2:

CN = corp-WIN-VF8Q99PRP29-CA-2
DC = corp
DC = exida
DC = pl

 

If I provide ldap://WIN-VF8Q99PRP29-CA-2.corp.exida.pl:636/ then I get "unkown host" exception. 

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 4, 2017

I understand the certificate must match the name being used to connect, as mentioned in: Is it neccessary that website certificate must have site URL?

Is it possible that the Java you are importing the cert into is not the same one Crowd is using? The System Info page doesn't have the path to Java, but later versions of Crowd include the support zip feature, in the Admin console under Sypport Tools. If you generate a support zip and check the JAVA_HOME entry in the application.xml file you can make sure you are using the right cacerts file.

If -Djavax.net.ssl.trustStore is in your system ptroperties, it will override the location of the default truststore, so we should check for that as well.

Like
Piotr_Serwa
Piotr_Serwa August 17, 2017

Hi Ann, 

 

I have:

<JAVA_HOME>C:\Program Files\Java\jdk1.8.0_45</JAVA_HOME>

and 

<java.home>C:\Program Files\Java\jdk1.8.0_45\jre</java.home>

 

I don't have Djavax.net.ssl.trustStore set anywhere.

 

I think that maybe the certificate name generated by windows active directory does not fit, server name is corp-WIN-VF8Q99PRP29, certificate is corp-WIN-VF8Q99PRP29-CA-2, but there is no way to change it. I wanted to load another private key and a certificate generated by a certifier agency, but active directory fails to load a custom private key.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events