Support

Expand all | Collapse all

Jama 8 and secure LDAP

  • 1.  Jama 8 and secure LDAP

    Posted 04-20-2016 20:55
    For our previous installations of Jama 2014 and 2015 on-premise, we set up login authentication for Jama using LDAP, pointing to our secure corporate LDAP server's port 636.

    In order to permit LDAPS access, we needed to import a dedicated corporate certificate authority file into the JDK that Jama/Tomcat were using:

    cd /localdata/java/jdk1.7.0_85    ./bin/keytool -import -file corporate-ca.pem \     -keystore jre/lib/security/cacerts

    Now that we have our Jama 8.0 beta up and running, I realize it can't seem to connect to the LDAP server to authenticate as a non-root user -- I get:

    2016-04-20 22:39:35,252 WARN  http-bio-8080-exec-6 jamab [3f4bb1] [com.jamasoftware.contour.util.auth.LdapProviderManagerImpl] - Ldap Provider Error.
    org.springframework.ldap.CommunicationException: simple bind failed:

    [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

    Does Jama 8 still support connecting over LDAPS, and if so, how do I input a corporate certificate authority as was done before?


  • 2.  Re: Jama 8 and secure LDAP

    Posted 04-20-2016 20:58
    Hi Ryan, we ran into the same issue. Currently the BETA-2 is not supporting this. But we requested a solution from Jama to solve this very issue. Last feedback was they were planning a solution for this in the standard release.


  • 3.  Re: Jama 8 and secure LDAP

    Posted 04-20-2016 20:59
    Our workaround was to use LDAP and not LDAPS for testing purpose.


  • 4.  Re: Jama 8 and secure LDAP

    Posted 04-20-2016 21:01
    Hi Ryan! On the Replicated settings page you should be able to upload a certificate file under Trusted Certificates. This will be added to java's cacerts store in the container on start-up.

    One thing I'm realizing from this question though, is that you may need to import more than one certificate file if, say, you need to connect both a secure database and a secure LDAP server, but they use different key files. I'll put in a request with our team to address this.

    ----
    edit: disregard my comment above!
    We have a feature coming down the pipe-line for adding trusted certificates :)

    Ryan


  • 5.  Re: Jama 8 and secure LDAP

    Posted 04-20-2016 22:12
    To add a little more detail to Ryan's comment, the work to import custom certificates is all done. It didn't make the cut for Jama 8.0 (nor 8.0.0-BETA-2), but it will be available in 8.1, which is to be released soon after 8.0. Using LDAP instead of LDAPS is indeed the recommended workaround for now. Sorry for the inconvenience in the interim. Please let us know if you have any additional questions.


  • 6.  Re: Jama 8 and secure LDAP

    Posted 04-21-2016 10:27
    Thanks, Sander. Unfortunately, our IT environment will not permit LDAP authentication without TLS. We may have to wait for Jama 8.1.


  • 7.  Re: Jama 8 and secure LDAP

    Posted 04-21-2016 10:47
    Thanks, Nick -- Unfortunately, our IT folks won't permit passwords and other data to be exposed in the clear via LDAP. FOr the purposes of the beta, I may examine switching back to plain Jama authentication and just leaving all of the users already imported from LDAP inert.


  • 8.  Re: Jama 8 and secure LDAP

    Posted 07-20-2016 19:39
    Just an update we tested 8.1 with custom pem file for secure LDAP and it worked! Just need to add your Root CA Certs into the pem.


  • 9.  Re: Jama 8 and secure LDAP

    Posted 07-20-2016 20:04
    That's great news, thanks for letting us know!


  • 10.  Re: Jama 8 and secure LDAP

    Posted 07-21-2016 10:25
    Thanks, Nick and Sander. We're now up and running with secure LDAP authentication in 8.4.1.