SSL cert not being read by uPortal for internal communication?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SSL cert not being read by uPortal for internal communication?

Stephen
Hi All,

So this is how best I can describe the situation:

Versions:
  • Ubuntu 18.04.2 LTS
  • Apache2.2
  • Tomcat 8.5.30
  • uPortal 4.3.1
  • java 1.8.0_212
Conf
  • Apache redirects everything to uPortal on tomcat on localhost:8443 (eg. example.com/uPortal) 
    • Exception to the above for anything on the /content alias(eg. example.com/content)
  • SSL File set on apache conf
  • SSL p12 keystore set in tomcat conf
  • Certificates are wildcard certs for our domain (eg. *.example.com)
Apache conf
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/cert.key

Alias /content/ /path/to/content/
<Location /content/>
Require all granted
</Location>
<Location />
Require all granted
</Location>
SSLProxyEngine on
ProxyPreserveHost on
ProxyPass /content !
ProxyPass /uPortal https://localhost:8443/uPortal
ProxyPassReverse /uPortal https://localhost:8443/uPortal
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443

Tomcat Conf
<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/path/to/cert.p12" keystorePass="redacted"
           clientAuth="false" sslProtocol="TLS"/>

Cert for ldaps connection obtained from ldap server and saved to cacert keystore
openssl s_client -connect ldap.server.url:636 -showcerts

openssl x509 -in ldap.crt -out ldap.pem -outform PEM

keytool -import -alias ldap -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -file /path/to/ldap.pem

Portlet with an import of a /content page
<c:import url="https://uportal.server.url/content/stuff.html"/>

ldap conf
environment.build.ldap.url=ldaps://ldap.server.url:636



Behavior:
  • Redirection works as expected. All queries go to uPortal except for anything on the /contents/ alias
  • SSL certificates are valid when visiting anything hosted on the server be it /uPortal or /content
    • directly accessing content page (eg. https://uportal.server.url/content/stuff.html) works without issues and valid certificate
    • visiting the uportal works with valid certificate.
Issues:
  • ldaps connection for authentication does not work and throws a javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ldap.server.url found
  • portlet fails to display the content page with the same error (url of server on exception)
Testing
  • Changing the import url on the portlet to some page hosted somewhere else (eg. https://www.google.com/) works by displaying it without issues
  • Changing the import url on the portlet to some other https page hosted in our domain on some other server using the same wildcard certificate works by displaying it without issues
  • Changing the import url to another subdomain and adding the subdomain to hostfile to point back to itself yields same exception
  • Changing the the ldaps conf to use ldap (port 389) lets you log in succesfully
  • Converted the p12 file used in the tomcat conf to a jks and added java_opts to the tomcat startup script to add it as arguments
    • -Djavax.net.ssl.keyStore=/path/to/cert.jks -Djavax.net.ssl.keyStorePassword=redacted -Djavax.net.ssl.trustStore=/path/to/cert.jks -Djavax.net.ssl.trustStorePassword=redacted
    • This only caused tomcat to start without publishing 8443 as a connector essentially breaking its functionality.

At this point im faced with hosting the /content/ content somewhere else and using ldap instead of ldaps for authentication

Ideas?

-Stephen




--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/527e3991-85e7-4ffa-941c-264be5e0bb4c%40apereo.org.