Unable to import LDAP Cert for IAM trustore: PKIX path building failed:
search cancel

Unable to import LDAP Cert for IAM trustore: PKIX path building failed:

book

Article ID: 211216

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

Using IAM to import the previous LDAP settings from an earlier version of SV (10.3).

The import appears to work but when trying to access the following messages comes up:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)

It appears that the bind may be failing. 

Environment

Release : 10.7.2  with/without HF and Service Packs. 

Component : Identity Access Manager (IAM)

Cause

The IAM iam-truststore.ks does not have the needed certificates from the LDAPS server.

Resolution

The logs show SSL related errors :

thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

The IAM iam-truststore.ks does not have the needed certificates from the LDAPS server.

  1. Import the LDAPS server certificates in the iam-truststore.ks located in folder DEVTEST_HOME/IdentityAccessManager. ! Important Note ! : Please make sure that along with server certificate, all the intermediate certificates along with Root CA certificate which are part of the certificate chain are imported in the IAM trust store.
  2. Restart IAM.

Keytool commands to import:

keytool -keystore “$LISA_HOME/IdentityAccessManager/certs/iam-truststore.ks" -importcert -file /usr/certs/root.cer -alias devtest

keytool -keystore “$LISA_HOME/IdentityAccessManager/certs/iam-truststore.ks" -importcert -file /usr/certs/intermidiate.cer -alias devtest2

keytool -keystore “$LISA_HOME/IdentityAccessManager/certs/iam-truststore.ks" -importcert -file /usr/certs/final.cer -alias devtest3

 

DevTest 10.7.2 + SP3:

Import the LDAPS server certificates in cacerts located at  DevTest10.7.2\IdentityAccessManager\jdk\lib\security folder.  Please review Service Pack documentations.