[ome-users] server certificate change is restrictedduring renegotiation]

Bernie Broughton b.broughton at sussex.ac.uk
Fri May 29 13:08:48 BST 2015 

Hi Josh,

I think:

Thu Apr 16 16:01 - 16:03  this year,

Bernie

> -----Original Message-----
> From: ome-users [mailto:ome-users-bounces at lists.openmicroscopy.org.uk]
> On Behalf Of Josh Moore
> Sent: 29 May 2015 12:24
> To: OME User Support List
> Subject: Re: [ome-users] server certificate change is restrictedduring
> renegotiation]
> 
> On Fri, May 29, 2015 at 1:03 PM, Bernie Broughton
> <b.broughton at sussex.ac.uk> wrote:
> > Hi Josh,
> 
> Hi Bernie,
> 
> 
> > I didn't upgrade Java but the server is managed by Puppet so it might. I'll
> investigate this.
> 
> Thanks. Keep us posted.. Though there were certainly changes to OMERO
> between 5.0.5 and 5.1 related to the POODLE bug** I don't see how they
> would be affecting the LDAP plugin. More likely would seem to be that other
> services which also had POODLE problems have since been upgraded.
> 
> What was the up time on the previous server? i.e. when was the last time
> you had restarted 5.0.5?
> 
> Cheers,
> ~Josh.
> 
> 
> ** https://www.openmicroscopy.org/site/products/omero/secvuln/2014-
> SV4-poodle
> 
> 
> > full LDAP configuration:
> >
> > omero.ldap.base=OU=US,DC=ad,DC=susx,DC=ac,DC=uk
> > omero.ldap.config=true
> > omero.ldap.group_filter=(&(objectclass=group)(!(cn=*_g)))
> > omero.ldap.group_mapping=name=cn
> > omero.ldap.new_user_group=Public
> > omero.ldap.password=xxxx
> > omero.ldap.urls=ldaps://ad.susx.ac.uk
> >
> omero.ldap.user_filter=(&(objectClass=user)(memberOf=CN=lifesci_omero
> _
> > users,OU=AdHoc,OU=Groups,OU=US,DC=ad,DC=susx,DC=ac,DC=uk))
> >
> omero.ldap.user_mapping=omeName=cn,firstName=givenName,lastName
> =sn,ema
> > il=mail omero.ldap.username=CN=ldapbind,OU=Service
> > Accounts,OU=US,DC=ad,DC=susx,DC=ac,DC=uk
> > omero.security.keyStore=/var/omero/keystore.jks
> > omero.security.keyStorePassword=xxxx
> > omero.security.trustStore=/var/omero/keystore.jks
> > omero.security.trustStorePassword=xxxx
> >
> > The configuration was copied over from the previous version without
> > any change,
> >
> > Bernie
> >
> >> -----Original Message-----
> >> From: ome-users
> >> [mailto:ome-users-bounces at lists.openmicroscopy.org.uk]
> >> On Behalf Of Josh Moore
> >> Sent: 29 May 2015 11:41
> >> To: OME User Support List
> >> Subject: Re: [ome-users] server certificate change is
> >> restrictedduring renegotiation]
> >>
> >> On Fri, May 29, 2015 at 12:29 PM, Aleksandra Tarkowska (Staff)
> >> <A.Tarkowska at dundee.ac.uk> wrote:
> >> > Hi Bernie
> >> >
> >> > Is ad.susx.ac.uk SSL cert self signed? Did you import to Java
> >> > keystone and then add
> >> >
> >> > bin/omero config set omero.security.keyStore "/etc/pki/java/cacerts"
> >> > bin/omero config set omero.security.trustStore "/etc/pki/java/cacerts"
> >>
> >>
> >> in addition, a few more questions based on the similarity to
> >> http://stackoverflow.com/a/27359749, pointed out by Simon:
> >>
> >>  * was there a change in Java version involved in your upgrade? Even
> >> if not, what version are you on?
> >>
> >>  * what does your LDAP configuration look like currently? (minus
> >> passwords) I assume there was no change during the upgrade?
> >>
> >>  * had you made any configuration changes to etc/grid in the 5.0
> >> server directory?
> >>
> >>
> >> ~Josh.
> >>
> >>
> >> > Kind regards
> >> > Ola
> >>
> >> > On 29/05/2015 11:18, "Bernie Broughton" <b.broughton at sussex.ac.uk>
> >> wrote:
> >> >
> >> >>Hi,
> >> >>
> >> >>We've upgraded from 5.0.5 to 5.1.1 3 days ago successfully but are
> >> >>now finding users can't authenticate using LDAP. Restarting the
> >> >>server fixes the problem for initially but the problem returns with
> >> >>a very short period (a minute or so).
> >> >>
> >> >>Checking the Blitz log I can see the error:
> >> >>
> >> >>org.springframework.ldap.CommunicationException: simple bind failed:
> >> >>ad.susx.ac.uk:636; nested exception is
> >> >>javax.naming.CommunicationException: simple bind failed:
> >> >>ad.susx.ac.uk:636 [Root exception is
> javax.net.ssl.SSLHandshakeException:
> >> >>server certificate change is restrictedduring renegotiation]
> >> >>
> >> >>Can anyone help with this please,
> >> >>
> >> >>Bernie Broughton
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users

More information about the ome-users mailing list