LDAP Authentication is failing with a PKIX path building failed error

LDAP Authentication is failing with a PKIX path building failed error

book

Article ID: KB0070696

calendar_today

Updated On:

Products Versions
TIBCO Data Virtualization 8.2.x and higher

Description

LDAP Authentication is failing, and the TDV cs_server.log file shows a PKIX path building failed error as below.

----------------------
ERROR [jetty thread pool-226] 2019-11-18 11:42:34.998 -0500 DefaultLdapDomainConnection -
javax.naming.CommunicationException: simple bind failed: redwood.mycompany.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
        at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
        at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
        at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
        ...
        at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
        at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at com.compositesw.server.security.DefaultLdapDomainConnection.<init>(DefaultLdapDomainConnection.java:68)
        at com.compositesw.server.security.DefaultLdapDomainConnection.<init>(DefaultLdapDomainConnection.java:55)
----------------------

Resolution

The LDAP server is sending an SSL certificate to TDV. The problem is that TDV is unable to find this certificate in its (i.e. TDV's) truststore. Please do the following:
 
1.   Ask the LDAP admin to provide you with the public certificate. If this is a certificate chain, please ensure that the LDAP admin provides the complete chain (Example: Root.cer, Intermediate.cer, Final.cer)

2.   Use <TDV_INSTALL>\jdk\bin\keytool to import the certificates in the chain into the cis_server_truststore.jks file (located under <TDV_INSTALL>\conf\server\security) and into the cacert truststore file (located under TDV_INSTALL>\tdv82\jdk\lib\security) as in the example below.

Example
C:\apps\tdv82\jdk\bin\keytool -import -trustcacerts -alias ldapcert1 -file Root.cer  -keystore C:\apps\tdv82\conf\server\security\cis_server_truststore.jks -storepass changeit

C:\apps\tdv82\jdk\bin\keytool -import -trustcacerts -alias ldapcert2 -file Intermediate.cer  -keystore  C:\apps\tdv82\jdk\lib\security\cacerts -storepass changeit

C:\apps\tdv82\jdk\bin\keytool -import -trustcacerts -alias ldapcert3 -file Final.cer  -keystore  C:\apps\tdv82\jdk\lib\security\cacerts -storepass changeit

3.  Restart TDV.

Issue/Introduction

LDAP Authentication is failing with a PKIX path building failed error
Powered by Wolken Software