Univiewer Management Server can not connect to the LDAP server with SSL

Article Id: 87268
Status: Published
Updated On: 15-04-2018 08:07
Legacy Id: 000013485
Products:
CA Automic Dollar Universe
Issue/Introduction:

Error Message :
On unicheckms or unicheckldap output:
***************************************
Host: LDAP_SERVER Port: 636 SSL: true
cannot connect to ldap server: javax.naming.CommunicationException: simple bind failed: LDAP_SERVER :636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]
FAILURE Host: LDAP_SERVER configuration is KO
****************************************

Or:
****************************************
Host: LDAP_SERVER Port: 636 SSL: true
cannot connect to ldap server: javax.naming.CommunicationException: simple bind failed: LDAP_SERVER:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
FAILURE Host: LDAP_SERVER configuration is KO
****************************************

Patch level detected:Univiewer Management Server 4.0.00
Product Version: Univiewer Management Server version 6
Univiewer Management Server can not connect to the LDAP server with SSL enabled, as a results UVC users cannot login into UVMS with their LDAP login.
Internal logins are able to connect to the UVMS.
Unicheckldap command fails to connect to the LDAP server.

Cause:

Cause type:
Configuration
Root Cause: This error means that the LDAP SSL certificate has not been correctly imported on the UVMS.

Environment:

OS: All
OS Version: All

Resolution:

Please re-import the LDAP SSL certificate as specified in the UVMS Administration manual, example:
 

9.2.1.5 SSL Configuration

To use an LDAP directory in SSL mode, UVMS is not required to be configured in SSL mode.
The unissl command, located in the univiewer_server\<nodename>\app\bin\ folder enables the SSL communication configuration between UVMS and LDAP.
The UVMS SSL architecture is described in section "SSL Communications" on page 67.
The following steps must be followed:
- Create a keystore / trustore (if necessary) with a unissl genstore command. Refer to section "Generate the keystore/truststore" on page 118.
- Add the LDAP certificate to the UVMS-approved certificates list with a unissl import command (refer to section "Import a certificate" on page 119).



Fix Status: No Fix

Fix Version(s):
N/A

Additional Information:

Workaround :
Disable the SSL between UVMS and LDAP server,in order to do so:

1. On the folder data of the uvms, backup the current ldap.xml and then edit the file ldap.xml
2. Replace the following two lines:
<port>636</port>
by
<port>389</port>

and
<SSL>YES</SSL>
by
<SSL>NO</SSL>

3. Restart the UVMS to take into account the modification.