IAM ldap authentication
Article ID: 77121
Updated On:
Products
CA Application Test
Service Virtualization
CA Continuous Application Insight (PathFinder)
CA Service Virtualization (DevTest / LISA / VSE / Application Test)
Issue/Introduction
How to make successful LDAPS connection from Identity Access Manager?
This is error I get when I verify the connection:
8-04-11 09:14:18,597 ERROR [org.keycloak.services] (default task-31) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: NSROOT.NET:3269: javax.naming.CommunicationException: simple bind failed: NSROOT.NET:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
Connecting LDAP over SSL in IAM
This is error I get when I verify the connection:
8-04-11 09:14:18,597 ERROR [org.keycloak.services] (default task-31) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: NSROOT.NET:3269: javax.naming.CommunicationException: simple bind failed: NSROOT.NET:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
Connecting LDAP over SSL in IAM
Environment
DEVTEST 10.3
Resolution
When connecting to LDAP over SSL, the SSL certificates should be imported to the trust store used by IAM.
Here are the steps to add the certificates to the trust store and make it available to IAM.
1. Use keytool to create a new truststore file or add trusted host certificates to an existing one:
$ keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer
2. In the standalone.xml located in <INSTALL_DIR>/vscatalog/IdentityAccessManager/standalone/configuration/standalone.xml, search for <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">. Couple of lines down you will find multiple spi tags, add the below xml before <spi name="eventsStore">.
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="path to your .jks file containing public certificates, that was created in before using the keytool"/>
<property name="password" value="password for the truststore"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
3. Restart IAM.
After the above steps are complete , you would also have to configure the mapper
To create a mapper to assign a default role to a user or set of users:
Here are the steps to add the certificates to the trust store and make it available to IAM.
1. Use keytool to create a new truststore file or add trusted host certificates to an existing one:
$ keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer
2. In the standalone.xml located in <INSTALL_DIR>/vscatalog/IdentityAccessManager/standalone/configuration/standalone.xml, search for <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">. Couple of lines down you will find multiple spi tags, add the below xml before <spi name="eventsStore">.
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="path to your .jks file containing public certificates, that was created in before using the keytool"/>
<property name="password" value="password for the truststore"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
3. Restart IAM.
After the above steps are complete , you would also have to configure the mapper
To create a mapper to assign a default role to a user or set of users:
By default, read only access is granted to a valid LDAP user.
- Click Create in the Mappers tab.
- Enter default_role_mapper as the mapper name.
- Choose hardcoded-ldap-role-mapper as the mapper type.
-
Enter virtual-service-catalog.service_catalog_user as the role.
Additional Information
https://docops.ca.com/devtest-solutions/10-3/en/using/using-virtual-service-catalog/configure-identity-and-access-manager
Feedback
Yes
No
Powered by
