Replication fails when you have installed a CA cert

book

Article ID: 158745

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You cannot set up replication if you have installed a CA cert.

Starting replication process 
---------------------------- 
Opening master directory connection 
Configuring NSS provider 
A problem occured while attempting to talk to one of the directories 
netscape.ldap.LDAPException: sun.security.validator.ValidatorException: No trust 
ed certificate found (91) 
at com.symantec.cas.tools.replicate.security.LDAPSSLSocketFactory.makeSo 
cket(LDAPSSLSocketFactory.java:136) 
at com.symantec.cas.tools.replicate.security.LDAPSSLSocketFactory.makeSo 
cket(LDAPSSLSocketFactory.java:71) 
at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:50 
9) 
at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:435) 
at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:274) 
at netscape.ldap.LDAPConnSetupMgr.access$000(LDAPConnSetupMgr.java:44) 
at netscape.ldap.LDAPConnSetupMgr$1.run(LDAPConnSetupMgr.java:208) 
at java.lang.Thread.run(Unknown Source) 

Cause

The CA cert is not installed on the machine you are using to set up replicatoin

Resolution

The error you are getting seems to be that the machine you are using does not have your CA cert installed in the java store.
This document assumes you have installed a global Java to get the replication tool to work or you may need to modify the command line below to show the actual path where java is installed on your computer. 

Download the CA cert and copy it to the path where Java is installed usuall C:\Program Files\<folder where Java is installed>\jre\bin

Run the keytool command

Click Start > Run.
In the Open text box, type cmd and click OK.
Change directories to ..\jre\bin directory.
By default this is C:\Program Files\<where java is installed>\jre\bin
Run the command:

keytool.exe -importcert -trustcacerts -alias <cert-alias-name> -file <Location of exported certificat file> -keystore "C:\Program Files\<where your java is installed>t\jre\lib\security\cacerts" -storepass changeit

Note: The <cert-alias-name> can be anything you want.