And yes i have already added the certificate to JAVA trust store by using following method
cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2 .2.0.0-2036/ranger-usersync/userSyncCAcerts keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts (where cert.pem has the the LDAPS cert) Add java option -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 /ranger-usersync/userSyncCAcerts To /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh Where it invokes java command like the following nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts . . . On Wed, Oct 7, 2015 at 1:52 AM, Aneela Saleem <[email protected]> wrote: > Thanks Neethiraj, > > I tried above solution but it still gives following logs > > 07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Starting > User Sync Service! > 07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Enabling > Unix Auth Service! > 07 Oct 2015 01:50:35 INFO UserGroupSync [UnixUserSyncThread] - > initializing sink: > org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder > 07 Oct 2015 01:50:36 WARN NativeCodeLoader [main] - Unable to load > native-hadoop library for your platform... using builtin-java classes where > applicable > 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling > Protocol: [SSLv2Hello] > 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling > Protocol: [TLSv1] > 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling > Protocol: [TLSv1.1] > 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling > Protocol: [TLSv1.2] > 07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LdapUserGroupBuilder created > 07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] - > initializing source: > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder > 07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] - Begin: > initial load of user/group from source==>sink > 07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LDAPUserGroupBuilder updateSink started > 07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LdapUserGroupBuilder initialization started > 07 Oct 2015 01:50:39 ERROR UserGroupSync [UnixUserSyncThread] - Failed to > initialize UserGroup source/sink. Will retry after 3600000 milliseconds. > Error details: > javax.naming.CommunicationException: simple bind failed: example.com:636 > [Root exception is javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) > at javax.naming.InitialContext.init(InitialContext.java:242) > at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) > at > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) > at > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) > at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) > at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) > ... 14 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) > ... 27 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) > ... 33 more > > > On Wed, Oct 7, 2015 at 1:19 AM, Selvamohan Neethiraj <[email protected]> > wrote: > >> Thanks Aneela, >> >> This indicates to me that you are using a self-signed certificate ( >> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com ) for the >> ldap server. >> Is this certificate added to the Java truststore file ( >> ${JAVA_HOME}/jre/lib/security/cacerts) ? >> >> If that is already done, please add the following SSL debug flag to the >> usersync process and run the usersync to see more detailed SSL error >> message (in the stdout file) … >> >> * -Djavax.net.debug=all* >> >> Please let us know if this provides more details to identify the issue … >> >> Thanks, >> >> Selva- >> >> From: Aneela Saleem <[email protected]> >> Reply-To: "[email protected]" < >> [email protected]> >> Date: Tuesday, October 6, 2015 at 4:06 PM >> >> To: "[email protected]" <[email protected]> >> Subject: Re: Issues with usersync (LDAPS certificate not validated) >> >> Hi Neethiraj, >> >> Following is the output of above command. Sorry i have changed domain >> name to now example.com >> >> >> CONNECTED(00000003) >> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, >> CN = example.com >> verify error:num=20:unable to get local issuer certificate >> verify return:1 >> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, >> CN = example.com >> verify error:num=27:certificate not trusted >> verify return:1 >> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, >> CN = example.com >> verify error:num=21:unable to verify the first certificate >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com >> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com >> >> -----BEGIN CERTIFICATE----- >> MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV >> BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw >> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2 >> MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG >> UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw >> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG >> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV >> Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO >> EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj >> popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S >> hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE >> NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5 >> MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl >> cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME >> GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL >> ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt >> nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K >> XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI >> R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH >> CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK >> bA+MDpEjs64kRdaC2w== >> -----END CERTIFICATE----- >> 1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com >> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com >> -----BEGIN CERTIFICATE----- >> MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV >> BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw >> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2 >> MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG >> UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x >> FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB >> CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95 >> nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb >> P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl >> Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r >> QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl >> FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu >> ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU >> vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi >> WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk >> 3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3 >> kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO >> uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91 >> chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1 >> iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G >> L1ndgIax4Q== >> -----END CERTIFICATE----- >> --- >> Server certificate >> subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com >> issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 2368 bytes and written 663 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES256-SHA256 >> Server public key is 2048 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : AES256-SHA256 >> Session-ID: >> 634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825 >> Session-ID-ctx: >> Master-Key: >> 84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740F30621A58484E8BF6E03 >> Key-Arg : None >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> Start Time: 1444161895 >> Timeout : 300 (sec) >> Verify return code: 21 (unable to verify the first certificate) >> --- >> DONE >> >> >> On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj < >> [email protected]> wrote: >> >>> Aneela: >>> >>> >>> To verify the certificate (chain), can you run the following command and >>> send us the output of the command ? >>> >>> >>> $ openssl s_client -showcerts -connect platalytics.com:636 < /dev/null >>> >>> >>> >>> Thanks, >>> >>> Selva- >>> >>> From: Aneela Saleem <[email protected]> >>> Reply-To: "[email protected]" < >>> [email protected]> >>> Date: Monday, October 5, 2015 at 1:16 PM >>> To: "[email protected]" <[email protected]> >>> >>> >>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>> >>> No there are no intermediate certificates. No i'm not using same trust >>> store for performing ldapsearch. I'm using >>> *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file >>> >>> On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu < >>> [email protected]> wrote: >>> >>>> Are there any intermediate certs? If so, are they also added in the >>>> trust store? >>>> And just to make sure, in the ldap configuration, are you using same >>>> trust store for performing ldapsearch? >>>> >>>> >>>> From: Aneela Saleem >>>> Reply-To: "[email protected]" >>>> Date: Sunday, October 4, 2015 at 10:15 AM >>>> >>>> To: "[email protected]" >>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>> >>>> Is there any issue with JAVA keystore? >>>> >>>> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <[email protected]> >>>> wrote: >>>> >>>>> Yes following command works fine >>>>> >>>>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H >>>>> ldaps://platalytics.com:636 -b "dc=platalytics,dc=com" -s sub >>>>> 'cn=aneela' >>>>> >>>>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <[email protected]> >>>>> wrote: >>>>> >>>>>> It is surprising that it will just stop working. Are you able to do >>>>>> ldapsearch from command line? Just to make sure there is nothing wrong on >>>>>> the OpenLDAP side? >>>>>> >>>>>> Thanks >>>>>> >>>>>> Bosco >>>>>> >>>>>> >>>>>> From: Aneela Saleem <[email protected]> >>>>>> Reply-To: <[email protected]> >>>>>> Date: Thursday, October 1, 2015 at 11:55 PM >>>>>> >>>>>> To: <[email protected]> >>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>>>> >>>>>> I also checked it on another machine. Same issue is there >>>>>> >>>>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> I guess no JDK changes. And i re-checked certificate infact >>>>>>> generated a new one. Still same issue. >>>>>>> >>>>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Aneela, >>>>>>>> Please check whether the certificate has expired. >>>>>>>> Dilli >>>>>>>> >>>>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Any other changes you can think of? JDK changes, etcs? >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> Bosco >>>>>>>>> >>>>>>>>> >>>>>>>>> From: Aneela Saleem <[email protected]> >>>>>>>>> Reply-To: <[email protected]> >>>>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>>>>>>> To: <[email protected]> >>>>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not >>>>>>>>> validated) >>>>>>>>> >>>>>>>>> It was working fine one month ago. But now the same issue is >>>>>>>>> occurred. >>>>>>>>> >>>>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> I followed all the following steps i.e., >>>>>>>>>> >>>>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>>>> >>>>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>>>> (where cert.pem has the the LDAPS cert) >>>>>>>>>> >>>>>>>>>> Add java option >>>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>>>>>>>> /ranger-usersync/userSyncCAcerts >>>>>>>>>> To >>>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>>>>>>> >>>>>>>>>> Where it invokes java command like the following >>>>>>>>>> >>>>>>>>>> nohup java >>>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>>>> . . . >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to >>>>>>>>>> certificates validation issues. Following are the logs >>>>>>>>>> >>>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>>>>>> Starting User Sync Service! >>>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>>>>>> Enabling Unix Auth Service! >>>>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>>>>> initializing sink: >>>>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to >>>>>>>>>> load native-hadoop library for your platform... using builtin-java >>>>>>>>>> classes >>>>>>>>>> where applicable >>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>>>> Enabling Protocol: [SSLv2Hello] >>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>>>> Enabling Protocol: [TLSv1] >>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>>>> Enabling Protocol: [TLSv1.1] >>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>>>> Enabling Protocol: [TLSv1.2] >>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder >>>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder created >>>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>>>>> initializing source: >>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>>>>> Begin: initial load of user/group from source==>sink >>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder >>>>>>>>>> [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started >>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder >>>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization started >>>>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - >>>>>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000 >>>>>>>>>> milliseconds. Error details: >>>>>>>>>> javax.naming.CommunicationException: simple bind failed: >>>>>>>>>> platalytics.com:636 [Root exception is >>>>>>>>>> javax.net.ssl.SSLHandshakeException: >>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable >>>>>>>>>> to find >>>>>>>>>> valid certification path to requested target] >>>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>>>>>>>> at >>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>>>>>>>> at >>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>>>>>>>> at >>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>>>>>>>>> at >>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>>>>>>>>> at >>>>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>>>>>>>> at >>>>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>>>>>>>> at >>>>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>>>>>>>> at >>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>>>>>>>>> at >>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>>>>>>>>> at >>>>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable >>>>>>>>>> to find >>>>>>>>>> valid certification path to requested target >>>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>>>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >>>>>>>>>> at >>>>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >>>>>>>>>> at >>>>>>>>>> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >>>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >>>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >>>>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >>>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >>>>>>>>>> ... 14 more >>>>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>>>>>>>> building failed: >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable >>>>>>>>>> to find >>>>>>>>>> valid certification path to requested target >>>>>>>>>> at >>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>>>>>>>> at >>>>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>>>>>>>>> ... 27 more >>>>>>>>>> Caused by: >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable >>>>>>>>>> to find >>>>>>>>>> valid certification path to requested target >>>>>>>>>> at >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>>>>>>>>> at >>>>>>>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>>>>>>>> at >>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>>>>>>>> ... 33 more >>>>>>>>>> >>>>>>>>>> And following is the output of nohup command: >>>>>>>>>> >>>>>>>>>> Host key verification failed. >>>>>>>>>> >>>>>>>>>> Can someone please help me figure out the issue? >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
