ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportIssues configuring mq web console to use LDAP users

Post new topicReply to topic
Issues configuring mq web console to use LDAP users View previous topic :: View next topic
Author Message
gavze007
PostPosted: Tue Jan 08, 2019 7:04 am Post subject: Issues configuring mq web console to use LDAP users Reply with quote

Novice

Joined: 28 Mar 2018
Posts: 19

Hi,

I'm running MQ 9.1.1 on a container, and I changed the mqwebuser.xml file to use ldap according to IBM's example.
My LDAP provider supports on TLSv1.2 over LDAPS (636)

When trying to login with an LDAP user, I get the following exceptions (I replaced the ldap server with <ldapserver>:

com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.CommunicationException: <ldapserver>:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty] occurred during processing.

These are the relevant parts on the configuration file, again, replaced the details with general names:

Code:
       <ldapRegistry id="ldap" realm="ldapprovider"
    host="ldapserver.com" port="636" ignoreCase="true"
    baseDN="basedn"
    bindDN="binduser"
    bindPassword="bindpass"
    ldapType="Microsoft Active Directory"
    sslEnabled="true"
    sslRef="LDAPSSLSettings">
    <activedFilters
                userFilter="(&amp;(uid=%v)(objectcategory=inetOrgPerson))"
                groupFilter="(&amp;(cn=%v)(objectcategory=groupofUniqueNames))"
                userIdMap="user:inetOrgPerson"
                groupIdMap="*:cn"
                groupMemberIdMap="memberOf:uniqueMember" >
        </activedFilters>
    </ldapRegistry>


        <keyStore id="LDAPKeyStore" location="/var/mqm/web/installations/Installation1/servers/mqweb/LDAPkey.jks" type="JKS" password="xxx"/>
        <keyStore id="LDAPTrustStore" location="/var/mqm/web/installations/Installation1/servers/mqweb/LDAPtrust.jks" type="JKS" password="xxx"/>
        <ssl id="LDAPSSLSettings" clientAuthenticationSupported="true" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="webcert"/>

What am I missing?
mqm user has access to all relevant files.

Thanks
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jan 08, 2019 3:03 pm Post subject: Reply with quote

Sentinel

Joined: 09 May 2013
Posts: 896
Location: Bay of Plenty, New Zealand

Is it possible that your truststore is empty? Assuming that it does exist and the user has access to it, empty is the other possibility for this error message.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportIssues configuring mq web console to use LDAP users
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.