Which Certificate Store To Use For AD User Management Connector On WebLogic?
Last updated on AUGUST 08, 2017
Applies to:
Identity Manager Connector - Version 9.1.1.7 and laterInformation in this document applies to any platform.
**Checked for Relevance on 30-Apr-2013**
Goal
AD User Management connector fails connecting to AD over SSL, with the following error:
Caused by: javax.naming.CommunicationException: simple bind failed: SERVERNAME.COMPANYNAME.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
(note the above error is on IBM JDK and other JDK may give a slightly different message)java.security.cert.CertPathValidatorException: The certificate issued by CN=COMPANYNAME Test Root CA, O=COMPANYNAME, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:209) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2706) at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:305) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:187) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:205) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:148) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:235) at javax.naming.InitialContext.initializeDefaultInitCtx(InitialContext.java:318) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:348) at javax.naming.InitialContext.internalInit(InitialContext.java:286) at javax.naming.InitialContext.(InitialContext.java:211) at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.getLDAPConnection(Unknown Source) at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.testBasicConnectivity(Unknown Source)
This occurs even though a custom identity store is configured in WLS config.xml, and the AD SSL CA cert has been added to the custom identity store:
<key-stores>CustomIdentityAndCustomTrust</key-stores>
<custom-identity-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/identity_keystore.jks</custom-identity-key-store-file-name>
<custom-identity-key-store-type>jks</custom-identity-key-store-type>
<custom-identity-key-store-pass-phrase-encrypted>...</custom-identity-key-store-pass-phrase-encrypted>
<custom-trust-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/trust_keystore.jks</custom-trust-key-store-file-name>
<custom-trust-key-store-type>jks</custom-trust-key-store-type>
<custom-trust-key-store-pass-phrase-encrypted>...</custom-trust-key-store-pass-phrase-encrypted>
<custom-identity-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/identity_keystore.jks</custom-identity-key-store-file-name>
<custom-identity-key-store-type>jks</custom-identity-key-store-type>
<custom-identity-key-store-pass-phrase-encrypted>...</custom-identity-key-store-pass-phrase-encrypted>
<custom-trust-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/trust_keystore.jks</custom-trust-key-store-file-name>
<custom-trust-key-store-type>jks</custom-trust-key-store-type>
<custom-trust-key-store-pass-phrase-encrypted>...</custom-trust-key-store-pass-phrase-encrypted>
Adding it to the default Java cacerts trust store (jre/lib/security/cacerts) does not resolve the issue either.
Which is the correct trusted key store to add the CA certificate to?
Solution
Sign In with your My Oracle Support account |
|
Don't have a My Oracle Support account? Click to get started |
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms