Unable to import LDAP Cert for IAM trustore: PKIX path building failed:

book

Article ID: 211216

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

We tried using IAM to import the previous LDAP settings from an earlier version of SV (10.3). The import appeared to work but when we try to access we get a failure message. It appears that the bind may be failing. Per our earlier conversation we may need a meeting to resolve this. Thank you.

Cause

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)

Environment

Release : 10.6

Component :

Resolution

from the logs I see SSL related errors :

ead.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

 

The IAM iam-truststore.ks does not have the needed certificates from the LDAPS server.

Import the LDAPS server certificates in the iam-truststore.ks located in folder DEVTEST_HOME/IdentityAccessManager.

 

! Important Note ! : Please make sure that along with server certificate, all the intermediate certificates along with Root CA certificate which are part of the certificate chain are imported in the iam trust store.

Restart IAM.

 

Keytool commands to import:

keytool -keystore “$LISA_HOME/IdentityAccessManager/certs/iam-truststore.ks" -importcert -file /usr/certs/root.cer -alias devtest

keytool -keystore “$LISA_HOME/IdentityAccessManager/certs/iam-truststore.ks" -importcert -file /usr/certs/intermidiate.cer -alias devtest2

keytool -keystore “$LISA_HOME/IdentityAccessManager/certs/iam-truststore.ks" -importcert -file /usr/certs/final.cer -alias devtest3