[ome-users] server certificate change is restrictedduring renegotiation]

Bernie Broughton b.broughton at sussex.ac.uk
Fri May 29 12:03:54 BST 2015 

Hi Josh,

I didn't upgrade Java but the server is managed by Puppet so it might. I'll investigate this.

java -version                  1.7.0     (/usr/bin/java)

full LDAP configuration:

omero.ldap.base=OU=US,DC=ad,DC=susx,DC=ac,DC=uk
omero.ldap.config=true
omero.ldap.group_filter=(&(objectclass=group)(!(cn=*_g)))
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=Public
omero.ldap.password=xxxx
omero.ldap.urls=ldaps://ad.susx.ac.uk
omero.ldap.user_filter=(&(objectClass=user)(memberOf=CN=lifesci_omero_users,OU=AdHoc,OU=Groups,OU=US,DC=ad,DC=susx,DC=ac,DC=uk))
omero.ldap.user_mapping=omeName=cn,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=CN=ldapbind,OU=Service Accounts,OU=US,DC=ad,DC=susx,DC=ac,DC=uk
omero.security.keyStore=/var/omero/keystore.jks
omero.security.keyStorePassword=xxxx
omero.security.trustStore=/var/omero/keystore.jks
omero.security.trustStorePassword=xxxx

The configuration was copied over from the previous version with any change,

Bernie

> -----Original Message-----
> From: ome-users [mailto:ome-users-bounces at lists.openmicroscopy.org.uk]
> On Behalf Of Josh Moore
> Sent: 29 May 2015 11:41
> To: OME User Support List
> Subject: Re: [ome-users] server certificate change is restrictedduring
> renegotiation]
> 
> On Fri, May 29, 2015 at 12:29 PM, Aleksandra Tarkowska (Staff)
> <A.Tarkowska at dundee.ac.uk> wrote:
> > Hi Bernie
> >
> > Is ad.susx.ac.uk SSL cert self signed? Did you import to Java keystone
> > and then add
> >
> > bin/omero config set omero.security.keyStore "/etc/pki/java/cacerts"
> > bin/omero config set omero.security.trustStore "/etc/pki/java/cacerts"
> 
> 
> in addition, a few more questions based on the similarity to
> http://stackoverflow.com/a/27359749, pointed out by Simon:
> 
>  * was there a change in Java version involved in your upgrade? Even if not,
> what version are you on?
> 
>  * what does your LDAP configuration look like currently? (minus
> passwords) I assume there was no change during the upgrade?
> 
>  * had you made any configuration changes to etc/grid in the 5.0 server
> directory?
> 
> 
> ~Josh.
> 
> 
> > Kind regards
> > Ola
> 
> > On 29/05/2015 11:18, "Bernie Broughton" <b.broughton at sussex.ac.uk>
> wrote:
> >
> >>Hi,
> >>
> >>We've upgraded from 5.0.5 to 5.1.1 3 days ago successfully but are now
> >>finding users can't authenticate using LDAP. Restarting the server
> >>fixes the problem for initially but the problem returns with a very
> >>short period (a minute or so).
> >>
> >>Checking the Blitz log I can see the error:
> >>
> >>org.springframework.ldap.CommunicationException: simple bind failed:
> >>ad.susx.ac.uk:636; nested exception is
> >>javax.naming.CommunicationException: simple bind failed:
> >>ad.susx.ac.uk:636 [Root exception is javax.net.ssl.SSLHandshakeException:
> >>server certificate change is restrictedduring renegotiation]
> >>
> >>Can anyone help with this please,
> >>
> >>Bernie Broughton
> >>Research IT Support and Service Development Specialist (ITS Client
> >>Services)
> >>IT Manager (Genome Damage and Stability Centre)
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users

More information about the ome-users mailing list