Tech Tip: Unable to configure LDAP over SSL (LDAPS) for ADA, NFA or UCM

Document created by Rito_Garcia Employee on Sep 3, 2015Last modified by Rito_Garcia Employee on Sep 3, 2015
Version 2Show Document
  • View in full screen mode

Summary:


SsoConfig > Test LDAP, fails when using LDAP over SSL (LDAPS) and displays the following error:


Could not obtain a DirectoryContext.

javax.naming.CommunicationException: simple bind failed:...:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Bind to the directory failed

 

Solution:


If the ADA, NFA or UCM server is using an LDAP certificate signed by a Certificate Authority (CA) that is not included in the Java cacerts file by default, the following configuration is required for LDAP connections to work properly via SSL. The default Java cacerts file stores root certificates for the most common CAs, such as VeriSign, GoDaddy..etc

Note: If the LDAP certificate is using a CA that does not have its root certificate included in the cacerts file by default you need to import it.  Intermediate certificates will also need to be imported if it applies.

Follow the steps below to import the LDAP certificate(s) into cacerts.

1. Open Windows Explorer and navigate to the cacerts file, which is located in the ...jre\lib\security subfolder and create a backup copy of the file before making any changes

ADA cacerts path:  X:\CA\jre\lib\security\cacerts
NFA 9.2 and prior versions cacerts path: C:\Program Files\Java\jre6\lib\security\cacerts
NFA 9.3+ cacerts path: X:\CA\NFA\jre\lib\security\cacerts
UCM cacerts path: X:\CA\jre7\lib\security\cacerts

2. Depending on the certificates received from the Certificate Authority, you may need to import an intermediate certificate and/or root certificate into the cacerts file.

Use the following syntax to import the certificate(s):

keytool -import -file <certificate_filename> -alias <alias> -trustcacerts -keystore <cacerts_file>


NFA Example:

keytool -import -file c:\certs\corp_root.cer -alias corp_root  -trustcacerts -keystore "X:\CA\NFA\jre\lib\security\cacerts"

Note: If multiple certificates are being imported, the alias specified for each certificate should be unique.

4. Type the password for the keystore at the “Password” prompt and press Enter.

Note: The default Java password for the cacerts file is “changeit”.

5. Type ‘y’ at the “Trust this certificate?” prompt and press Enter.


6. Open a command prompt on the ADA, NFA or UCM Console server and verify that NSLOOKUP command is able to resolve the name that the certificate was issued to.

Note: A HOSTS file can be used when the name cannot be resolved through DNS


7. Run the SsoConfig > Test LDAP again and confirm that error is resolved.

8. Confirm that login to ADA, NFA or UCM web portal works using the LDAP user.


This has also been posted in the Knowledge Base on Support.ca.com TEC1474313

Attachments

    Outcomes