Updating the LDAP password in TIBCO Business Directory's LDAP Management page results in an "Invalid login attempt" error
Article ID: KB0073484
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | All supported versions |
Description
Updating the LDAP password in TIBCO Business Directory's LDAP Management page for a secure LDAP server connection results in an Invalid login attempt error, although the login name and password are correct.
The cs_bd_server.log contains the following error trace:
-------------
ERROR [jetty thread pool-518] 2021-05-15 09:24:14.322 -0500 DefaultLdapDomainConnection - javax.naming.CommunicationException: simple bind failed: redwood.abccompany.com:636
... java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
....
Caused by: java.net.SocketException: Connection or outbound has closed
...
P KIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
-------------
The cs_bd_server.log contains the following error trace:
-------------
ERROR [jetty thread pool-518] 2021-05-15 09:24:14.322 -0500 DefaultLdapDomainConnection - javax.naming.CommunicationException: simple bind failed: redwood.abccompany.com:636
... java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
....
Caused by: java.net.SocketException: Connection or outbound has closed
...
P KIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
-------------
Issue/Introduction
Updating the LDAP password in TIBCO Business Directory's LDAP Management page results in an "Invalid login attempt" error when connecting to LDAP over SSL
Resolution
To authenticate the user, TDV first has to open an SSL connection to the secure LDAP server.
The error Connection or outbound has closed in the log indicates that the connection was closed before the function LdapClient.authenticate() could finish authenticating the user's login credentials. Consequently, the authentication failed.
The error PKIX path building failed provides the reason for the closure. It means that the connection was aborted because the LDAP server's certificate chain was found to be missing from the Business Directory truststore file.
To resolve the issue, the LDAP server's certificate chain needs to be imported into the Business Directory truststore file, which is:
<BD_INSTALL_DIR>/conf/server/security/ cis_server_truststore.jks
Note that the chain may be comprised of multiple certificates. Typically, a certificate chain is comprised of 3 certificates (Root, Intermediate, and Final). Each of these need to be imported.
Example
cd C:\Program Files\TIBCO\TDV BD Server 8.3\jdk\bin
keytool -import -trustcacerts -alias ldaproot -file Root.cer -keystore C:\Program Files\TIBCO\TDV BD Server 8.3\conf\server\security\cis_server_truststore.jks -storepass changeit
keytool -import -trustcacerts -alias ldapintermediate -file Intermediate.cer -keystore C:\Program Files\TIBCO\TDV BD Server 8.3\conf\server\security\cis_server_truststore.jks -storepass changeit
keytool -import -trustcacerts -alias ldapfinal -file Final.cer -keystore C:\Program Files\TIBCO\TDV BD Server 8.3\conf\server\security\cis_server_truststore.jks -storepass changeit
Once the import has been completed, restart Business Directory.
The error Connection or outbound has closed in the log indicates that the connection was closed before the function LdapClient.authenticate() could finish authenticating the user's login credentials. Consequently, the authentication failed.
The error PKIX path building failed provides the reason for the closure. It means that the connection was aborted because the LDAP server's certificate chain was found to be missing from the Business Directory truststore file.
To resolve the issue, the LDAP server's certificate chain needs to be imported into the Business Directory truststore file, which is:
<BD_INSTALL_DIR>/conf/server/security/ cis_server_truststore.jks
Note that the chain may be comprised of multiple certificates. Typically, a certificate chain is comprised of 3 certificates (Root, Intermediate, and Final). Each of these need to be imported.
Example
cd C:\Program Files\TIBCO\TDV BD Server 8.3\jdk\bin
keytool -import -trustcacerts -alias ldaproot -file Root.cer -keystore C:\Program Files\TIBCO\TDV BD Server 8.3\conf\server\security\cis_server_truststore.jks -storepass changeit
keytool -import -trustcacerts -alias ldapintermediate -file Intermediate.cer -keystore C:\Program Files\TIBCO\TDV BD Server 8.3\conf\server\security\cis_server_truststore.jks -storepass changeit
keytool -import -trustcacerts -alias ldapfinal -file Final.cer -keystore C:\Program Files\TIBCO\TDV BD Server 8.3\conf\server\security\cis_server_truststore.jks -storepass changeit
Once the import has been completed, restart Business Directory.
Additional Information
Feedback
Yes
No
Powered by
