LDAP Authentication is failing with a PKIX path building failed error
Article ID: KB0070696
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | 8.2.x and higher |
Description
LDAP Authentication is failing, and the TDV cs_server.log file shows a PKIX path building failed error as below.
----------------------
ERROR [jetty thread pool-226] 2019-11-18 11:42:34.998 -0500 DefaultLdapDomainConnection -
javax.naming.CommunicationException: simple bind failed: redwood.mycompany.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
...
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.compositesw.server.security.DefaultLdapDomainConnection.<init>(DefaultLdapDomainConnection.java:68)
at com.compositesw.server.security.DefaultLdapDomainConnection.<init>(DefaultLdapDomainConnection.java:55)
----------------------
----------------------
ERROR [jetty thread pool-226] 2019-11-18 11:42:34.998 -0500 DefaultLdapDomainConnection -
javax.naming.CommunicationException: simple bind failed: redwood.mycompany.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
...
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.compositesw.server.security.DefaultLdapDomainConnection.<init>(DefaultLdapDomainConnection.java:68)
at com.compositesw.server.security.DefaultLdapDomainConnection.<init>(DefaultLdapDomainConnection.java:55)
----------------------
Issue/Introduction
LDAP Authentication is failing with a PKIX path building failed error
Resolution
The LDAP server is sending an SSL certificate to TDV. The problem is that TDV is unable to find this certificate in its (i.e. TDV's) truststore. Please do the following:
1. Ask the LDAP admin to provide you with the public certificate. If this is a certificate chain, please ensure that the LDAP admin provides the complete chain (Example: Root.cer, Intermediate.cer, Final.cer)
2. Use <TDV_INSTALL>\jdk\bin\keytool to import the certificates in the chain into the cis_server_truststore.jks file (located under <TDV_INSTALL>\conf\server\security) and into the cacert truststore file (located under TDV_INSTALL>\tdv82\jdk\lib\security) as in the example below.
Example
C:\apps\tdv82\jdk\bin\keytool -import -trustcacerts -alias ldapcert1 -file Root.cer -keystore C:\apps\tdv82\conf\server\security\cis_server_truststore.jks -storepass changeit
C:\apps\tdv82\jdk\bin\keytool -import -trustcacerts -alias ldapcert2 -file Intermediate.cer -keystore C:\apps\tdv82\jdk\lib\security\cacerts -storepass changeit
C:\apps\tdv82\jdk\bin\keytool -import -trustcacerts -alias ldapcert3 -file Final.cer -keystore C:\apps\tdv82\jdk\lib\security\cacerts -storepass changeit
3. Restart TDV.
Feedback
Yes
No
Powered by
