Anonymous_User Absent Member.
Absent Member.
1580 views

unable to find valid certification path to requested target


I'm attempting to configure LDAPS with SSPR. Following these docs:
http://tinyurl.com/lqt56j6

I've exported the cert.der via iManager and followed these instructions
to import the cert into my JAVA_HOME\lib\security\cacerts .. NOTE: this
is the same Java which runs my tomcat instance.

After save the configuration I get:
LDAP WARN error connecting to ldap directory: unable to create
connection: unable to connect to any configured ldap url, last error:
unable to bind to ldaps://192.168.0.164:636 as cn=PwmProxy,ou=sa,o=data
reason: CommunicationException (192.168.0.164:636;
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target)

Catalina.out:
2013-07-17 08:53:49, WARN , provider.FailOverWrapper, unable to reach
ldap server ldaps://192.168.0.164:636
2013-07-17 08:53:49, DEBUG, wordlist.SharedHistoryManager, skipping
wordDB reduce operation, eldestEntry=14m, maxAge=28d:12h
2013-07-17 08:53:49, TRACE, servlet.ResourceFileServlet, {0} GET request
for: /sspr/resources/favicon.ico (no params)
[0:0:0:0:0:0:0:1%0/localhost]
2013-07-17 08:53:49, TRACE, servlet.ResourceFileServlet, {0} GET request
for: /sspr/resources/favicon.ico (no params)
[0:0:0:0:0:0:0:1%0/localhost]
2013-07-17 08:53:49, DEBUG, provider.FailOverWrapper, error connecting
to ldap server, will retry, unable to bind to ldaps://192.168.0.164:636
as cn=PwmProxy,ou=sa,o=data reason: CommunicationException
(192.168.0.164:636; sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target)
2013-07-17 08:53:49, DEBUG, provider.ChaiProviderFactory, unable to
create connection:
com.novell.ldapchai.exception.ChaiUnavailableException:unable to connect
to any configured ldap url, last error: unable to bind to
ldaps://192.168.0.164:636 as cn=PwmProxy,ou=sa,o=data reason:
CommunicationException (192.168.0.164:636;
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target)
2013-07-17 08:53:49, TRACE, util.Helper, externalJudgeMethod
'password.pwm.PwmPasswordJudge' returned a value of 46
2013-07-17 08:53:49, TRACE, health.HealthMonitor, health check process
completed
2013-07-17 08:53:50, DEBUG, provider.FailOverWrapper, error connecting
to ldap server, will retry, unable to bind to ldaps://192.168.0.164:636
as cn=PwmProxy,ou=sa,o=data reason: CommunicationException
(192.168.0.164:636; sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target)
2013-07-17 08:53:50, DEBUG, provider.ChaiProviderFactory, unable to
create connection:
com.novell.ldapchai.exception.ChaiUnavailableException:unable to connect
to any configured ldap url, last error: unable to bind to
ldaps://192.168.0.164:636 as cn=PwmProxy,ou=sa,o=data reason:
CommunicationException (192.168.0.164:636;
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target)


--
icsynergymg
------------------------------------------------------------------------
icsynergymg's Profile: https://forums.netiq.com/member.php?userid=5337
View this thread: https://forums.netiq.com/showthread.php?t=48211

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: unable to find valid certification path to requested target

What were the EXACT steps you used to generate the cert.der and then to
import it into the keystore? My guess is you exported the wrong
certificate data from eDirectory via iManager, but maybe you imported
things incorrectly into the truststore/keystore. The more details the
merrier. While the instructions in the doc may be pretty close, they
would not work if used exactly so seeing what actually happened would help me.

If possible I'd recommend testing the certificate using openssl before
importing it into the truststore since that last step is pointless if the
wrong cert is retrieved. This can be done using a command like the following:

Code:
----------
openssl s_client -connect 192.168.0.164:636 -CAfile /path/to/cert.pem
----------

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.