Clarity

Hi guys!!

I need you help.

The log error below displays the problem in communicating the CA PPM with the LDAP server.

In CSA, the LDAP address is 10.58.90.69, but in table cmn_directory_servers, the host_url  is different.

The created_by and last_update_by is -99.

Is  that a bug?

ERROR 2018-10-17 09:03:30,181 [Dispatch LDAP - Sincronizar usuários novos e alterados : bg@ppmhx05b (tenant=clarity)] niku.njs
(clarity:daniel.barros:45683996__9D27197A-C58F-4FDA-9C6D-49E94AB29CE4:LDAP - Sincronizar usuários novos e alterados)
Error executing job: 5783042 java.lang.Exception: Synchronize new and changed users job failed: com.niku.security.directory.DirectoryServiceException:  importUsers():Could not talk with the Directory Server.  Possible causes:   1) Directory server is down,  2) Machine where bgserver is running is not able to communicate with Directory server.Contact your Directory server administrator.        at com.niku.security.directory.LDAPAddModifySyncAgent.scheduledEventFired(LDAPAddModifySyncAgent.java:60)      at com.niku.njs.Dispatcher$BGTask.run(Dispatcher.java:393)      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)      at java.lang.Thread.run(Thread.java:745)
at com.niku.security.directory.LDAPDirectoryService.importUsers(LDAPDirectoryService.java:487)      at com.niku.security.directory.LDAPAddModifySyncAgent.scheduledEventFired(LDAPAddModifySyncAgent.java:48)      at com.niku.njs.Dispatcher$BGTask.run(Dispatcher.java:393)      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)      at java.lang.Thread.run(Thread.java:745) Caused by: javax.naming.CommunicationException: simple bind failed: 10.58.90.69:636 [Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target]      at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)      at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)      at javax.naming.InitialContext.init(InitialContext.java:244)      at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)      at com.niku.security.directory.LDAPDirectoryService.getSearchDirContext(LDAPDirectoryService.java:1077)      at com.niku.security.directory.LDAPDirectoryService.paginatedSearch(LDAPDirectoryService.java:328)      at com.niku.security.directory.LDAPDirectoryService.performFilteringSearch(LDAPDirectoryService.java:529)      at com.niku.security.directory.LDAPDirectoryService.importUsers(LDAPDirectoryService.java:408)      ... 5 more

CA PPM 15.2 version

Thank you!!

Daniel Barros

Hi Daniel,

From the error description it seems to be an issue with your LDAP server certificate. Ensure that certificate has been imported into your Java keystore, and configured in CSA.

Below link describes on how to import a certificate to Java keystore. 

Import Individual Certificates into your Keystore - Reflection for Secure IT Gateway - Administrator’s Guide 

Thanks,

Bhargav.

kanbh04 escreveu:

 

Hi Daniel,

 

From the error description it seems to be an issue with your LDAP server certificate. Ensure that certificate has been imported into your Java keystore, and configured in CSA.

 

 

Below link describes on how to import a certificate to Java keystore. 

 

Import Individual Certificates into your Keystore - Reflection for Secure IT Gateway - Administrator’s Guide 

 

 

Thanks,

Bhargav.

Hi Bhargav!!

I'll try!!

Thank you very much!

That was good advice, it is looking exactly like a certificate / server trust issue.

Just to explain as well, the record you see in the table is for when the job last ran successfully (it looks like it was run/tested over a year ago and not again since then).  That will be why the IP address in the url in the table looks different.

The job uses the last time that it ran from that table to determine what to request from the LDAP server.

If there are no records in the table, it will do a 'full sync' of everyone.  If you run the job frequently and successfully, it will instead only look for users that have been added/updated in LDAP since that last time, which will be a quicker incremental run.

So you would not see any new records in that table until it can successfully connect again.

Nick Darlington escreveu:

 

That was good advice, it is looking exactly like a certificate / server trust issue.

 

Just to explain as well, the record you see in the table is for when the job last ran successfully (it looks like it was run/tested over a year ago and not again since then).  That will be why the IP address in the url in the table looks different.

 

The job uses the last time that it ran from that table to determine what to request from the LDAP server.

 

If there are no records in the table, it will do a 'full sync' of everyone.  If you run the job frequently and successfully, it will instead only look for users that have been added/updated in LDAP since that last time, which will be a quicker incremental run.

 

So you would not see any new records in that table until it can successfully connect again.

Hi Nick!!

Thank you  for the excellent explanation.

Best regards!