My Oracle Support Banner

Which Certificate Store To Use For AD User Management Connector On WebLogic? (Doc ID 1366551.1)

Last updated on JULY 21, 2020

Applies to:

Identity Manager Connector - Version 9.1.1.7 and later
Information in this document applies to any platform.
**Checked for Relevance on 30-Apr-2013**

Goal

AD User Management connector fails connecting to AD over SSL, with the following error:


Caused by: javax.naming.CommunicationException: simple bind failed: SERVERNAME.COMPANYNAME.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=COMPANYNAME Test Root CA, O=COMPANYNAME, C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:209)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2706)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:305)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:187)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:205)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:148)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:235)
at javax.naming.InitialContext.initializeDefaultInitCtx(InitialContext.java:318)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:348)
at javax.naming.InitialContext.internalInit(InitialContext.java:286)
at javax.naming.InitialContext.(InitialContext.java:211)
at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.getLDAPConnection(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.testBasicConnectivity(Unknown Source)
 (note the above error is on IBM JDK and other JDK may give a slightly different message)

This occurs even though a custom identity store is configured in WLS config.xml, and the AD SSL CA cert has been added to the custom identity store:
<key-stores>CustomIdentityAndCustomTrust</key-stores>
 <custom-identity-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/identity_keystore.jks</custom-identity-key-store-file-name>
 <custom-identity-key-store-type>jks</custom-identity-key-store-type>
 <custom-identity-key-store-pass-phrase-encrypted>...</custom-identity-key-store-pass-phrase-encrypted>
 <custom-trust-key-store-file-name>/opt/oracle/Middleware/wlserver_10.3/server/lib/trust_keystore.jks</custom-trust-key-store-file-name>
 <custom-trust-key-store-type>jks</custom-trust-key-store-type>
 <custom-trust-key-store-pass-phrase-encrypted>...</custom-trust-key-store-pass-phrase-encrypted>

Adding it to the default Java cacerts trust store (jre/lib/security/cacerts) does not resolve the issue either.

Which is the correct trusted key store to add the CA certificate to?

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.