HTTP Basic authentication fails when a TIBCO BusinessWorks application is deployed on a TIBCO Administrator server that is integrated to an LDAP server with SSL (ldap/s).

HTTP Basic authentication fails when a TIBCO BusinessWorks application is deployed on a TIBCO Administrator server that is integrated to an LDAP server with SSL (ldap/s).

book

Article ID: KB0092885

calendar_today

Updated On:

Products Versions
TIBCO ActiveMatrix BusinessWorks -
Not Applicable -

Description

Resolution:

We have an LDAP/s integrated TIBCO Administrator server (Domain) which has a TIBCO BusinessWorks machine added to it. The qualified user/s and roles appears correctly in the TIBCO Administrator GUI. If we deploy a TIBCO BusinessWorks application which requires the basic authentication against the LDAP user, the HTTP basic authentication fails with following error in the BusinessWorks application log:

Caused by: com.tibco.runtime.pool.ServerNotAvailableException: Server not available at address ldaps://xyz
.
.
.
.
Caused by: netscape.ldap.LDAPException: SSL connection to xyz.., Server certificate rejected by ChainVerifier (91); Cannot connect to the LDAP server
        at netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSESocketFactory.java:105)
        at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:418)
        at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:350)
        at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:244)
        at netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnSetupMgr.java:170)
        at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1042)
        at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:924)
        at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:876)
        at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1015)
        at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1025)
        at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:970)


Resolution:
========

The cause of the above issue is the absence of the LDAP certificates in the JRE truststore of the TIBCO BusinessWorks machine, i.e. the LDAP certs are not imported into the <TIBCO_HOME>\tibcojre64\1.7.0\lib\security\cacerts file. When a BusinessWorks application receives a request from a client and tries to validate the user against the LDAP , it requires a connection to the LDAP server. During the handshake the keys presented by the LDAP server does not match any certificates in the TIBCO BusinessWorks truststore (cacerts) file and the connection fails. The BusinessWorks application throws the above exception in the log file.

To correct this error do the following.


1). Get the correct and complete LDAP certificate chain from the LDAP administrator.
2). Import the certificate chain into the JRE truststore using the keytool with the "keytool -importcert" option. For more detail on this command refer to the keytool documentation at the following URL:

http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

NOTE: If TIBCO BusinessWorks works and Administrator are on the same machine, there will be no error because while integrating the Administrator with LDAP/s using the domain utility, the LDAP certs will be imported into the cacerts file. The issue will happen only when TIBCO Administrator and TIBCO BusinessWorks are on different servers.

Issue/Introduction

HTTP Basic authentication fails when a TIBCO BusinessWorks application is deployed on a TIBCO Administrator server that is integrated to an LDAP server with SSL (ldap/s).

Additional Information

http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html
Powered by Wolken Software