Thanks Aneela,
This indicates to me that you are using a self-signed certificate (
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com/> ) for the ldap server.
Is this certificate added to the Java truststore file
(${JAVA_HOME}/jre/lib/security/cacerts) ?
If that is already done, please add the following SSL debug flag to the
usersync process and run the usersync to see more detailed SSL error message
(in the stdout file)
-Djavax.net.debug=all
Please let us know if this provides more details to identify the issue
Thanks,
Selva-
From: Aneela Saleem <[email protected]>
Reply-To: "[email protected]"
<[email protected]>
Date: Tuesday, October 6, 2015 at 4:06 PM
To: "[email protected]" <[email protected]>
Subject: Re: Issues with usersync (LDAPS certificate not validated)
Hi Neethiraj,
Following is the output of above command. Sorry i have changed domain name
to now example.com <http://example.com>
CONNECTED(00000003)
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com <http://example.com>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com <http://example.com>
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com <http://example.com>
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
<http://example.com>
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com>
-----BEGIN CERTIFICATE-----
MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV
Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO
EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj
popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S
hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE
NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME
GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL
ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt
nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K
XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI
R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH
CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK
bA+MDpEjs64kRdaC2w==
-----END CERTIFICATE-----
1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com>
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com>
-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x
FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95
nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb
P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl
Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r
QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl
FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu
ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU
vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi
WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk
3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3
kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO
uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91
chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1
iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G
L1ndgIax4Q==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
<http://example.com>
issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com>
---
No client certificate CA names sent
---
SSL handshake has read 2368 bytes and written 663 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID:
634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825
Session-ID-ctx:
Master-Key:
84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740
F30621A58484E8BF6E03
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1444161895
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj
<[email protected]> wrote:
> Aneela:
>
>
>
> To verify the certificate (chain), can you run the following command and send
> us the output of the command ?
>
>
>
> $ openssl s_client -showcerts -connect platalytics.com:636
> <http://platalytics.com:636> < /dev/null
>
>
>
>
>
> Thanks,
>
> Selva-
>
>
> From: Aneela Saleem <[email protected]>
> Reply-To: "[email protected]"
> <[email protected]>
> Date: Monday, October 5, 2015 at 1:16 PM
> To: "[email protected]" <[email protected]>
>
> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>
> No there are no intermediate certificates. No i'm not using same trust store
> for performing ldapsearch. I'm using
> TLS_CACERT /etc/ldap/cacert.pem option in ldap.conf file
>
> On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu
> <[email protected]> wrote:
>> Are there any intermediate certs? If so, are they also added in the trust
>> store?
>> And just to make sure, in the ldap configuration, are you using same trust
>> store for performing ldapsearch?
>>
>>
>> From: Aneela Saleem
>> Reply-To: "[email protected]"
>> Date: Sunday, October 4, 2015 at 10:15 AM
>>
>> To: "[email protected]"
>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>
>> Is there any issue with JAVA keystore?
>>
>> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <[email protected]> wrote:
>>> Yes following command works fine
>>>
>>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
>>> ldaps://platalytics.com:636 <http://platalytics.com:636> -b
>>> "dc=platalytics,dc=com" -s sub 'cn=aneela'
>>>
>>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <[email protected]> wrote:
>>>> It is surprising that it will just stop working. Are you able to do
>>>> ldapsearch from command line? Just to make sure there is nothing wrong on
>>>> the OpenLDAP side?
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem <[email protected]>
>>>> Reply-To: <[email protected]>
>>>> Date: Thursday, October 1, 2015 at 11:55 PM
>>>>
>>>> To: <[email protected]>
>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>
>>>>> I also checked it on another machine. Same issue is there
>>>>>
>>>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <[email protected]>
>>>>> wrote:
>>>>>> I guess no JDK changes. And i re-checked certificate infact generated a
>>>>>> new one. Still same issue.
>>>>>>
>>>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <[email protected]>
>>>>>> wrote:
>>>>>>> Aneela,
>>>>>>> Please check whether the certificate has expired.
>>>>>>> Dilli
>>>>>>>
>>>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <[email protected]>
>>>>>>> wrote:
>>>>>>> Any other changes you can think of? JDK changes, etcs?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Bosco
>>>>>>>
>>>>>>>
>>>>>>> From: Aneela Saleem <[email protected]>
>>>>>>> Reply-To: <[email protected]>
>>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>>>>> To: <[email protected]>
>>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>>>
>>>>>>> It was working fine one month ago. But now the same issue is occurred.
>>>>>>>
>>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <[email protected]>
>>>>>>> wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I followed all the following steps i.e.,
>>>>>>>
>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>
>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>>
>>>>>>> Add java option
>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyn
>>>>>>> cCAcerts
>>>>>>> To
>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>>
>>>>>>> Where it invokes java command like the following
>>>>>>>
>>>>>>> nohup java
>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyn
>>>>>>> cCAcerts . . .
>>>>>>>
>>>>>>>
>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>>>> validation issues. Following are the logs
>>>>>>>
>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting
>>>>>>> User Sync Service!
>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Unix Auth Service!
>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>> initializing sink:
>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>>>>>> native-hadoop library for your platform... using builtin-java classes
>>>>>>> where applicable
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Protocol: [SSLv2Hello]
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Protocol: [TLSv1]
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Protocol: [TLSv1.1]
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Protocol: [TLSv1.2]
>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>>>> LdapUserGroupBuilder created
>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>> initializing source:
>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
>>>>>>> initial load of user/group from source==>sink
>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>>>> LDAPUserGroupBuilder updateSink started
>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>>>> LdapUserGroupBuilder initialization started
>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed
>>>>>>> to initialize UserGroup source/sink. Will retry after 21600000
>>>>>>> milliseconds. Error details:
>>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>>> platalytics.com:636 <http://platalytics.com:636> [Root exception is
>>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>> find valid certification path to requested target]
>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:
>>>>>>> 154)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:8
>>>>>>> 4)
>>>>>>> at
>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>>> at
>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>>> at
>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>>> at
>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapCo
>>>>>>> ntext(LdapUserGroupBuilder.java:149)
>>>>>>> at
>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(L
>>>>>>> dapUserGroupBuilder.java:261)
>>>>>>> at
>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>> find valid certification path to requested target
>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>>> at
>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.jav
>>>>>>> a:1446)
>>>>>>> at
>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:2
>>>>>>> 09)
>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>>> at
>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.jav
>>>>>>> a:1332)
>>>>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>>> at
>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>>> ... 14 more
>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>>>>>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>>>>>> unable to find valid certification path to requested target
>>>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>>> at
>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:2
>>>>>>> 92)
>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>>> at
>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java
>>>>>>> :326)
>>>>>>> at
>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.
>>>>>>> java:231)
>>>>>>> at
>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManage
>>>>>>> rImpl.java:126)
>>>>>>> at
>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.jav
>>>>>>> a:1428)
>>>>>>> ... 27 more
>>>>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>>>>>> unable to find valid certification path to requested target
>>>>>>> at
>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPat
>>>>>>> hBuilder.java:196)
>>>>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>>> ... 33 more
>>>>>>>
>>>>>>> And following is the output of nohup command:
>>>>>>>
>>>>>>> Host key verification failed.
>>>>>>>
>>>>>>> Can someone please help me figure out the issue?
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>>
>
