IAM LDAP Authentication Error

book

Article ID: 222321

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

Configured DevTest IAM with LDAP(with SSL) configuration and able to test the connectivity. However, when trying to authenticate, getting below error:

 ERROR [org.keycloak.services] (default task-12) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: LDAPS.HOSTNAME:636: javax.naming.CommunicationException: simple bind failed: LDAPS.HOSTNAME:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Cause

This is because the IAM keystore did not had the LDAP server public key imported and the iam.keystore file was placed in /IdentityAccessManager instead of /IdentityAccessManager/certs/ folder.

Environment

Release : 10.6

Component : CA Application Test

Resolution

** Make sure that iam.keystore file is under /IdentityAccessManager/certs/

Follow below steps to make sure that we have right set of certificates downloaded from LDAP Server and used in IAM trust store.

- First delete all the existing certs from iam-truststore keystore in IAM machine. 

keytool -delete -alias mydomain -keystore iam-truststore.ks

- Make sure there are no entries in the iam-truststore.

keytool -list -v -keystore iam-truststore.ks

- Get the required cert files copied to the IAM machine.

- Now import these certs into iam-truststore. You may have a certificate chain in which case, start from root cert, then intermediate cert and then server cert.

keytool -import -trustcacerts -alias mydomain  -keystore iam-truststore.ks -storepass passphrase -file certificate.cer

- Check the all entries in iam-truststore.

keytool -list -v -keystore iam-truststore.ks

- Now restart the IAMService and test the connection and authentication from IAM portal.