Which Certificate Store To Use For AD User Management Connector On WebLogic? (Doc ID 1366551.1)

Last updated on AUGUST 08, 2017

Applies to:

Identity Manager Connector - Version 9.1.1.7 and later
Information in this document applies to any platform.
**Checked for Relevance on 30-Apr-2013**

Goal

AD User Management connector fails connecting to AD over SSL, with the following error:


Caused by: javax.naming.CommunicationException: simple bind failed: SERVERNAME.COMPANYNAME.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=COMPANYNAME Test Root CA, O=COMPANYNAME, C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:209)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2706)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:305)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:187)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:205)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:148)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:235)
at javax.naming.InitialContext.initializeDefaultInitCtx(InitialContext.java:318)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:348)
at javax.naming.InitialContext.internalInit(InitialContext.java:286)
at javax.naming.InitialContext.(InitialContext.java:211)
at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.getLDAPConnection(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.testBasicConnectivity(Unknown Source)
 (note the above error is on IBM JDK and other JDK may give a slightly different message)

This occurs even though a custom identity store is configured in WLS config.xml, and the AD SSL CA cert has been added to the custom identity store:
<key-stores>CustomIdentityAndCustomTrust</key-stores>
 <custom-identity-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/identity_keystore.jks</custom-identity-key-store-file-name>
 <custom-identity-key-store-type>jks</custom-identity-key-store-type>
 <custom-identity-key-store-pass-phrase-encrypted>...</custom-identity-key-store-pass-phrase-encrypted>
 <custom-trust-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/trust_keystore.jks</custom-trust-key-store-file-name>
 <custom-trust-key-store-type>jks</custom-trust-key-store-type>
 <custom-trust-key-store-pass-phrase-encrypted>...</custom-trust-key-store-pass-phrase-encrypted>

Adding it to the default Java cacerts trust store (jre/lib/security/cacerts) does not resolve the issue either.

Which is the correct trusted key store to add the CA certificate to?

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms