Can't connect to a LDAPS Server
search cancel

Can't connect to a LDAPS Server

book

Article ID: 215701

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

Unable to add secondary SSL Enabled LDAP Server to the Release Automation using ROC Console as throws the below PKIX Exception.

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

Environment

Release Automation 6.7  and above

Cause

Whenever Java attempts to connect to another application over SSL ( like LDAPS), it will only be able to connect to that application if it can trust it. The way trust is handled in the Java is that you have a keystore (typically $JAVA_HOME/lib/security/cacerts), also known as the truststore.

This problem is therefore caused by a certificate that does not exist within the Java truststore. Java does not trust the certificate and fails to connect to the application.

This problem may occur at login to ROC after an upgrade of the NAC.
The RA upgrade also upgrades the embedded JRE and installs a new cacerts file.
If the original cacerts file contained certificates for access to LDAP, these can no longer be found.

Resolution

The exception mentioned below indicates that it is unable to find valid certification to the requested target.

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

Please try to import the LDAP SSL certificate to the "cacerts"(Required if a secured connection has been configured). This is stored in the RA_HOME/jre/lib/security folder.

Note: Take a backup of the cacerts before performing steps mentioned.

Once imported the ldap ssl certificate then please perform below steps.

Perform the below steps 
* ./nolio_server.sh stop 
* Restore or update the Keystore cacerts file in RA_HOME/jre/lib/security folder.
* ./nolio_server.sh start 

Additional Information

To list the certificates in the cacerts file:

  • From a command prompt run: cd <path to jre/lib/security folder>
  • Then run: keytool -list -keystore .\cacerts > certs.out
  • The default cacerts password is: changeit
Powered by Wolken Software