Company Root CA Active Directory changed. AdminUI with Admin User Store not working.
search cancel

Company Root CA Active Directory changed. AdminUI with Admin User Store not working.

book

Article ID: 136378

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction


The root CA for the Active Directory changed. The AdminUI with Admin User Store not working.

Having configured the Policy Server UI (AdminUI) to use the corporate Active Directory for admin logins.

The root CA within the company changed and new root and intermediate certificates have been installed on the Active Directory.

Now, login to the Policy Server Admin UI (AdminUI) is not possible.

Having added the root and the intermediate certificates to cert8.db on the Policy Server.

How to add the new certs to the AdminUI?

Here are the relevant errors from the AdminUI log file:

  [20:18:20,013 ERROR [ims.llsdk.directory.jndi] (MSC service thread 1-2) JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.iam_siteminder.ear.user_console.war:main" from Service Module Loader
  [20:18:20,181 ERROR [com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory] (MSC service thread 1-2) Failed to verify server certificate chain: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) [rt.jar:1.8.0_144]
      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) [rt.jar:1.8.0_144]
      at sun.security.validator.Validator.validate(Validator.java:260) [rt.jar:1.8.0_144]
      at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) [jsse.jar:1.8.0_144]
      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) [jsse.jar:1.8.0_144]
      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105) [jsse.jar:1.8.0_144]
      at com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory$TraceTrustManager.checkServerTrusted(CustomDefaultStoreSSLSocketFactory.java:137) [cacommons.jar:12.8.01.180128]

 

Resolution


Import new root CA:

  # keytool -import -trustcacerts -alias <alias> -keystore "/{home_adminui}/standalone/configuration/trustStore.jks" -file <RootCA.cer>

List the keystore to check if it's there.  

  # keytool -list -v -keystore ./trustStore.jks -storepass <password>

Restart the AdminUI to solve this issue.

 

Powered by Wolken Software