[ome-users] server certificate change is restrictedduring renegotiation]

Fri May 29 12:23:52 BST 2015

On Fri, May 29, 2015 at 1:03 PM, Bernie Broughton
<b.broughton at sussex.ac.uk> wrote:
> Hi Josh,

Hi Bernie,

> I didn't upgrade Java but the server is managed by Puppet so it might. I'll investigate this.

Thanks. Keep us posted.. Though there were certainly changes to OMERO
between 5.0.5 and 5.1 related
to the POODLE bug** I don't see how they would be affecting the LDAP
plugin. More likely would
seem to be that other services which also had POODLE problems have
since been upgraded.

What was the up time on the previous server? i.e. when was the last
time you had restarted 5.0.5?

Cheers,
~Josh.

** https://www.openmicroscopy.org/site/products/omero/secvuln/2014-SV4-poodle

> full LDAP configuration:
>
> omero.ldap.base=OU=US,DC=ad,DC=susx,DC=ac,DC=uk
> omero.ldap.config=true
> omero.ldap.group_filter=(&(objectclass=group)(!(cn=*_g)))
> omero.ldap.group_mapping=name=cn
> omero.ldap.new_user_group=Public
> omero.ldap.password=xxxx
> omero.ldap.urls=ldaps://ad.susx.ac.uk
> omero.ldap.user_filter=(&(objectClass=user)(memberOf=CN=lifesci_omero_users,OU=AdHoc,OU=Groups,OU=US,DC=ad,DC=susx,DC=ac,DC=uk))
> omero.ldap.user_mapping=omeName=cn,firstName=givenName,lastName=sn,email=mail
> omero.ldap.username=CN=ldapbind,OU=Service Accounts,OU=US,DC=ad,DC=susx,DC=ac,DC=uk
> omero.security.keyStore=/var/omero/keystore.jks
> omero.security.keyStorePassword=xxxx
> omero.security.trustStore=/var/omero/keystore.jks
> omero.security.trustStorePassword=xxxx
>
> The configuration was copied over from the previous version without any change,
>
> Bernie
>
>> -----Original Message-----
>> From: ome-users [mailto:ome-users-bounces at lists.openmicroscopy.org.uk]
>> On Behalf Of Josh Moore
>> Sent: 29 May 2015 11:41
>> To: OME User Support List
>> Subject: Re: [ome-users] server certificate change is restrictedduring
>> renegotiation]
>>
>> On Fri, May 29, 2015 at 12:29 PM, Aleksandra Tarkowska (Staff)
>> <A.Tarkowska at dundee.ac.uk> wrote:
>> > Hi Bernie
>> >
>> > Is ad.susx.ac.uk SSL cert self signed? Did you import to Java keystone
>> > and then add
>> >
>> > bin/omero config set omero.security.keyStore "/etc/pki/java/cacerts"
>> > bin/omero config set omero.security.trustStore "/etc/pki/java/cacerts"
>>
>>
>> in addition, a few more questions based on the similarity to
>> http://stackoverflow.com/a/27359749, pointed out by Simon:
>>
>>  * was there a change in Java version involved in your upgrade? Even if not,
>> what version are you on?
>>
>>  * what does your LDAP configuration look like currently? (minus
>> passwords) I assume there was no change during the upgrade?
>>
>>  * had you made any configuration changes to etc/grid in the 5.0 server
>> directory?
>>
>>
>> ~Josh.
>>
>>
>> > Kind regards
>> > Ola
>>
>> > On 29/05/2015 11:18, "Bernie Broughton" <b.broughton at sussex.ac.uk>
>> wrote:
>> >
>> >>Hi,
>> >>
>> >>We've upgraded from 5.0.5 to 5.1.1 3 days ago successfully but are now
>> >>finding users can't authenticate using LDAP. Restarting the server
>> >>fixes the problem for initially but the problem returns with a very
>> >>short period (a minute or so).
>> >>
>> >>Checking the Blitz log I can see the error:
>> >>
>> >>org.springframework.ldap.CommunicationException: simple bind failed:
>> >>ad.susx.ac.uk:636; nested exception is
>> >>javax.naming.CommunicationException: simple bind failed:
>> >>ad.susx.ac.uk:636 [Root exception is javax.net.ssl.SSLHandshakeException:
>> >>server certificate change is restrictedduring renegotiation]
>> >>
>> >>Can anyone help with this please,
>> >>
>> >>Bernie Broughton