Are there any intermediate certs? If so, are they also added in the trust store? And just to make sure, in the ldap configuration, are you using same trust store for performing ldapsearch?
From: Aneela Saleem Reply-To: "[email protected]<mailto:[email protected]>" Date: Sunday, October 4, 2015 at 10:15 AM To: "[email protected]<mailto:[email protected]>" Subject: Re: Issues with usersync (LDAPS certificate not validated) Is there any issue with JAVA keystore? On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <[email protected]<mailto:[email protected]>> wrote: Yes following command works fine ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://platalytics.com:636<http://platalytics.com:636> -b "dc=platalytics,dc=com" -s sub 'cn=aneela' On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <[email protected]<mailto:[email protected]>> wrote: It is surprising that it will just stop working. Are you able to do ldapsearch from command line? Just to make sure there is nothing wrong on the OpenLDAP side? Thanks Bosco From: Aneela Saleem <[email protected]<mailto:[email protected]>> Reply-To: <[email protected]<mailto:[email protected]>> Date: Thursday, October 1, 2015 at 11:55 PM To: <[email protected]<mailto:[email protected]>> Subject: Re: Issues with usersync (LDAPS certificate not validated) I also checked it on another machine. Same issue is there On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <[email protected]<mailto:[email protected]>> wrote: I guess no JDK changes. And i re-checked certificate infact generated a new one. Still same issue. On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <[email protected]<mailto:[email protected]>> wrote: Aneela, Please check whether the certificate has expired. Dilli On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <[email protected]<mailto:[email protected]>> wrote: Any other changes you can think of? JDK changes, etcs? Thanks Bosco From: Aneela Saleem <[email protected]<mailto:[email protected]>> Reply-To: <[email protected]<mailto:[email protected]>> Date: Wednesday, September 30, 2015 at 9:37 PM To: <[email protected]<mailto:[email protected]>> Subject: Re: Issues with usersync (LDAPS certificate not validated) It was working fine one month ago. But now the same issue is occurred. On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <[email protected]<mailto:[email protected]>> wrote: Hi all, I followed all the following steps i.e., cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts (where cert.pem has the the LDAPS cert) Add java option -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts To /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh Where it invokes java command like the following nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts . . . But i'm unable to sync LDAP contacts in Ranger due to certificates validation issues. Following are the logs 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting User Sync Service! 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service! 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello] 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1] 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1] 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2] 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder created 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 21600000 milliseconds. Error details: javax.naming.CommunicationException: simple bind failed: platalytics.com:636<http://platalytics.com:636> [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) ... 14 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) ... 27 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 33 more And following is the output of nohup command: Host key verification failed. Can someone please help me figure out the issue?
