The error means that the JVM doesn't trust the issuing CA on the remote side (ldap server). You can get the CA path from the remote server using openssl: openssl s_client -connect ldap.server.com:636
That will give you the certs in pem format as well as the chain up to the root. Add the root CA and any intermediate CA certs into the cacerts used by Remedy. You need to know which cacerts to update. Most Java software uses the cacerts bundled with the JRE under jre/lib/security/cacerts by default. You can optionally tell the JRE to use a different cacert using a command line argument: -Djavax.net.ssl.trustStore=/path/to/cacerts Axton On Wed, Nov 9, 2016 at 6:19 PM, Fawver, Dustin <[email protected]> wrote: > ** > > Greetings! > > > I have been trying to get AREA to use LDAP over SSL now. I followed the > instructions over at https://docs.bmc.com/docs/display/public/brid91/ > Enabling+LDAP+plug-ins+for+SSL+connections+post-installation. The > systems administrator instructed me some time ago to go to one of our > servers and export the security certificate from within Firefox. I did > that and used keytool to create the store. I am getting the error message > below. > > > <PLUGINSVR> <TNAME: pool-4-thread-3 > <ERROR> <ARPluginContext > > < > ARPluginContext.java:176 > /* Wed Nov 09 2016 07:12:12.805 */ > <AREA.LDAP>Ldap Authentication failed!javax.naming.CommunicationException: > simple bind failed: jcdc1.etsu.edu:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target] > > > Looking at the certificate chain, I saw that there was a GeoTrust CA cert > and a GeoTrust SHA cert. I exported those from the same server and added > those to the trust store. While searching for a solution, I found some > people would add the certs to the primary Java cacerts store located in > /jre/lib/security/. I did that as well and specified the path for the > primary cacerts store in the AREA LDAP configuration screen. I am still > receiving the error message. > > > Is there something else that I'm missing? If I need to ask something else > from the systems administrator, please let me know what to ask for. > > > Thanks in advance for your help! > > > --Dustin Fawver > > > HelpDesk Technician > > East Tennessee State University > _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
