How to fix Ops Manager LDAPS authentication problem due to keystore issue
Article ID: 293533
Updated On:
Products
Operations Manager
Issue/Introduction
Symptoms:
- Ops Man UI authentication fails with the generic error of "Unable to verify email or password. Please try again.".
- Ops Man UAA logs (/var/log/opsmanager/uaa.out) show this particular java exception about the certificate
Caused by: javax.naming.CommunicationException: simple bind failed: ldapsprod.domain:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
- Logging in via uaac cli also shows the same java exception
error response: { "error": "unauthorized", "error_description": "simple bind failed: ldapsprod.domain:636; nested exception is javax.naming.CommunicationException: simple bind failed: ldapsprod.domain:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]" }
Environment
Cause
It appears that the provided CA certificate is not being properly imported into the java keystore that the Ops Man UAA uses. This seems to be a bug in the Ops Man UAA.
Resolution
The workaround steps are as follows:
1) Log in to the Ops Man VM. Save the CA cert into a file somewhere.
2) Backup the current keystore.
3) Import the CA cert (replace /tmp/ldap.crt in the below example with the full path of your file). You will be asked to trust it, so just type 'yes'.
4) Restart the tempest-web service.
5) Wait a few moments for the restart to complete, and then try to log in again in Ops Man UI.
2) Backup the current keystore.
$ sudo -u tempest-web cp -p /home/tempest-web/uaa/jdk/jre/lib/security/cacerts /home/tempest-web/uaa/jdk/jre/lib/security/cacerts.orig
3) Import the CA cert (replace /tmp/ldap.crt in the below example with the full path of your file). You will be asked to trust it, so just type 'yes'.
$ sudo -u tempest-web /home/tempest-web/uaa/jdk/bin/keytool -importcert -file /tmp/ldap.crt -keystore /home/tempest-web/uaa/jdk/jre/lib/security/cacerts -storepass changeit
4) Restart the tempest-web service.
$ sudo service tempest-web restart
5) Wait a few moments for the restart to complete, and then try to log in again in Ops Man UI.
Feedback
Yes
No
Powered by
