Univiewer Management Server can not connect to the LDAP server with SSL

book

Article ID: 87268

calendar_today

Updated On:

Products

CA Automic Dollar Universe

Issue/Introduction

Error Message :
On unicheckms or unicheckldap output:
***************************************
Host: LDAP_SERVER Port: 636 SSL: true
cannot connect to ldap server: javax.naming.CommunicationException: simple bind failed: LDAP_SERVER :636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]
FAILURE Host: LDAP_SERVER configuration is KO
****************************************

Or:
****************************************
Host: LDAP_SERVER Port: 636 SSL: true
cannot connect to ldap server: javax.naming.CommunicationException: simple bind failed: LDAP_SERVER:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
FAILURE Host: LDAP_SERVER configuration is KO
****************************************

Patch level detected:Univiewer Management Server 4.0.00
Product Version: Univiewer Management Server version 6
Univiewer Management Server can not connect to the LDAP server with SSL enabled, as a results UVC users cannot login into UVMS with their LDAP login.
Internal logins are able to connect to the UVMS.
Unicheckldap command fails to connect to the LDAP server.

Cause

Cause type:
Configuration
Root Cause: This error means that the LDAP SSL certificate has not been correctly imported on the UVMS.

Environment

OS: All
OS Version: All

Resolution

Please re-import the LDAP SSL certificate as specified in the UVMS Administration manual, example:
 

9.2.1.5 SSL Configuration

To use an LDAP directory in SSL mode, UVMS is not required to be configured in SSL mode.
The unissl command, located in the univiewer_server\<nodename>\app\bin\ folder enables the SSL communication configuration between UVMS and LDAP.
The UVMS SSL architecture is described in section "SSL Communications" on page 67.
The following steps must be followed:
- Create a keystore / trustore (if necessary) with a unissl genstore command. Refer to section "Generate the keystore/truststore" on page 118.
- Add the LDAP certificate to the UVMS-approved certificates list with a unissl import command (refer to section "Import a certificate" on page 119).



Fix Status: No Fix

Fix Version(s):
N/A

Additional Information

Workaround :
Disable the SSL between UVMS and LDAP server,in order to do so:

1. On the folder data of the uvms, backup the current ldap.xml and then edit the file ldap.xml
2. Replace the following two lines:
<port>636</port>
by
<port>389</port>

and
<SSL>YES</SSL>
by
<SSL>NO</SSL>

3. Restart the UVMS to take into account the modification.