Univiewer Management Server can not connect to the LDAP server with SSL enabled, as a results UVC users cannot login into UVMS with their LDAP login.
Internal logins are able to connect to the UVMS.
Unicheckldap command fails to connect to the LDAP server.
Error Message :
On unicheckms or unicheckldap output:
Host: LDAP_SERVER Port: 636 SSL: true
cannot connect to ldap server: javax.naming.CommunicationException: simple bind failed: LDAP_SERVER :636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]
FAILURE Host: LDAP_SERVER configuration is KO
****************************************
Or:
Host: LDAP_SERVER Port: 636 SSL: true
cannot connect to ldap server: javax.naming.CommunicationException: simple bind failed: LDAP_SERVER:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
FAILURE Host: LDAP_SERVER configuration is KO
****************************************
Component: Univiewer Management Server
Version: All
Cause type: Configuration
Root Cause: This error means that the LDAP SSL certificate trust chain has not been correctly imported on the UVMS Keystore.
Please re-import the LDAP SSL certificate as specified in the UVMS Administration manual, example:
9.2.1.5 SSL Configuration
To use an LDAP directory in SSL mode, UVMS is not required to be configured in SSL mode.
The unissl command, located in the univiewer_server\<nodename>\app\bin\ folder enables the SSL communication configuration between UVMS and LDAP.
The UVMS SSL architecture is described in section "SSL Communications" on page 67.
The following steps must be followed:
- Create a keystore / trustore (if necessary) with a unissl genstore command. Refer to section "Generate the keystore/truststore" on page 118.
- Add the LDAP certificate to the UVMS-approved certificates list with a unissl import command (refer to section "Import a certificate" on page 119).
Workaround :
Disable the SSL between UVMS and LDAP server, in order to do so:
1. On the folder data of the uvms, backup the current ldap.xml and then edit the file ldap.xml
2. Replace the following two lines:
<port>636</port>
by
<port>389</port>
and
<SSL>YES</SSL>
by
<SSL>NO</SSL>
3. Restart the UVMS to take into account the modification.