Which Certificate Store To Use For AD User Management Connector On WebLogic?
(Doc ID 1366551.1)
Last updated on JULY 21, 2020
Applies to:
Identity Manager Connector - Version 9.1.1.7 and laterInformation in this document applies to any platform.
**Checked for Relevance on 30-Apr-2013**
Goal
AD User Management connector fails connecting to AD over SSL, with the following error:
Caused by: javax.naming.CommunicationException: simple bind failed: SERVERNAME.COMPANYNAME.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
(note the above error is on IBM JDK and other JDK may give a slightly different message)java.security.cert.CertPathValidatorException: The certificate issued by CN=COMPANYNAME Test Root CA, O=COMPANYNAME, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:209) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2706) at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:305) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:187) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:205) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:148) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:235) at javax.naming.InitialContext.initializeDefaultInitCtx(InitialContext.java:318) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:348) at javax.naming.InitialContext.internalInit(InitialContext.java:286) at javax.naming.InitialContext.(InitialContext.java:211) at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.getLDAPConnection(Unknown Source) at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.testBasicConnectivity(Unknown Source)
This occurs even though a custom identity store is configured in WLS config.xml, and the AD SSL CA cert has been added to the custom identity store:
<key-stores>CustomIdentityAndCustomTrust</key-stores>
<custom-identity-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/identity_keystore.jks</custom-identity-key-store-file-name>
<custom-identity-key-store-type>jks</custom-identity-key-store-type>
<custom-identity-key-store-pass-phrase-encrypted>...</custom-identity-key-store-pass-phrase-encrypted>
<custom-trust-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/trust_keystore.jks</custom-trust-key-store-file-name>
<custom-trust-key-store-type>jks</custom-trust-key-store-type>
<custom-trust-key-store-pass-phrase-encrypted>...</custom-trust-key-store-pass-phrase-encrypted>
<custom-identity-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/identity_keystore.jks</custom-identity-key-store-file-name>
<custom-identity-key-store-type>jks</custom-identity-key-store-type>
<custom-identity-key-store-pass-phrase-encrypted>...</custom-identity-key-store-pass-phrase-encrypted>
<custom-trust-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/trust_keystore.jks</custom-trust-key-store-file-name>
<custom-trust-key-store-type>jks</custom-trust-key-store-type>
<custom-trust-key-store-pass-phrase-encrypted>...</custom-trust-key-store-pass-phrase-encrypted>
Adding it to the default Java cacerts trust store (jre/lib/security/cacerts) does not resolve the issue either.
Which is the correct trusted key store to add the CA certificate to?
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |