The root CA for our company active directory changed. AdminUI with admin user store not working.
search cancel

The root CA for our company active directory changed. AdminUI with admin user store not working.

book

Article ID: 136378

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

We have configured the Policy server UI to use our corporate Active Directory for admin logins.

The root CA for our company changed and new root and intermediate certificates were installed on Active Directory.

Now we are not able to login to Policy server admin UI.

We have added the root and intermediate certificates to cert8.db on the Policy server.

Please let us know how to add the new certs to the admin UI.


Here are the relevant errors from the admin UI log file:

ESC[0mESC[31m20:18:20,013 ERROR [ims.llsdk.directory.jndi] (MSC service thread 1-2) JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloa

der ModuleClassLoader for Module "deployment.iam_siteminder.ear.user_console.war:main" from Service Module Loader

ESC[0mESC[31m20:18:20,181 ERROR [com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory] (MSC service thread 1-2) Failed to verify server certificate chain: sun.security.valid

ator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) [rt.jar:1.8.0_144]

        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) [rt.jar:1.8.0_144]

        at sun.security.validator.Validator.validate(Validator.java:260) [rt.jar:1.8.0_144]

        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) [jsse.jar:1.8.0_144]

        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) [jsse.jar:1.8.0_144]

        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105) [jsse.jar:1.8.0_144]

        at com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory$TraceTrustManager.checkServerTrusted(CustomDefaultStoreSSLSocketFactory.java:137) [cacommons.jar:12.8.01.1801

28]

Environment

Release:


Component:

Resolution

Import new root CA:


keytool -import -trustcacerts -alias <alias> -keystore "siteminder/adminui/standalone/configuration/trustStore.jks" -file <RootCA.cer>


List keystore to check it is there:


keytool -list -v -keystore ./trustStore.jks -storepass <password>



Restart adminui.

Powered by Wolken Software