[Date Prev] [Date Next] [Prev in Thread] [Next in Thread] [Date Index] [Thread Index]

Re: SSL for LDAP



**
The error means that the JVM doesn't trust the issuing CA on the remote side (ldap server).  You can get the CA path from the remote server using openssl:
openssl s_client -connect ldap.server.com:636

That will give you the certs in pem format as well as the chain up to the root.

Add the root CA and any intermediate CA certs into the cacerts used by Remedy.  You need to know which cacerts to update.  Most Java software uses the cacerts bundled with the JRE under jre/lib/security/cacerts by default.  You can optionally tell the JRE to use a different cacert using a command line argument: -Djavax.net.ssl.trustStore=/path/to/cacerts

Axton

On Wed, Nov 9, 2016 at 6:19 PM, Fawver, Dustin <FAWVER@mail.etsu.edu> wrote:
**

Greetings!


I have been trying to get AREA to use LDAP over SSL now.  I followed the instructions over at https://docs.bmc.com/docs/display/public/brid91/Enabling+LDAP+plug-ins+for+SSL+connections+post-installation.  The systems administrator instructed me some time ago to go to one of our servers and export the security certificate from within Firefox.  I did that and used keytool to create the store.  I am getting the error message below.


<PLUGINSVR> <TNAME: pool-4-thread-3          > <ERROR> <ARPluginContext                                   > <                              ARPluginContext.java:176       > /* Wed Nov 09 2016 07:12:12.805 */  <AREA.LDAP>Ldap Authentication failed!javax.naming.CommunicationException: simple bind failed: jcdc1.etsu.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]


Looking at the certificate chain, I saw that there was a GeoTrust CA cert and a GeoTrust SHA cert.  I exported those from the same server and added those to the trust store.  While searching for a solution, I found some people would add the certs to the primary Java cacerts store located in /jre/lib/security/.  I did that as well and specified the path for the primary cacerts store in the AREA LDAP configuration screen.  I am still receiving the error message.


Is there something else that I'm missing?  If I need to ask something else from the systems administrator, please let me know what to ask for.


Thanks in advance for your help!


--Dustin Fawver


HelpDesk Technician

East Tennessee State University

_ARSlist: "Where the Answers Are" and have been for 20 years_

_ARSlist: "Where the Answers Are" and have been for 20 years_