LDAP Connectivity Error: PKIX path building failed

Contrast UI Knowledge:

See more
License Type On-Premise
Agent Mode N/A
Main Product Category    Contrast UI 
Sub Category Authentication

 

Issue

When configuring (secure) LDAP as the desired authentication method in your Contrast EOP System Settings, the Test Connection fails and the resulting log reports an error similar to the following:

[Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target]

Cause

The most likely cause of this error is that the secure LDAP server uses either a self-signed or privately-signed certificate.  The Contrast EOP Server runs under Tomcat which is a Java Application Server and, by default, all JREs come with a set of trusted CAs that contains the usual commercial CA certificates - DigiCert, GlobalSign etc.  If the LDAP server uses a certificate that is self-signed or is signed by an internal CA then the JVM will be unable to build the chain of trust, resulting in a handshaking failure when connecting.

Resolution

Acquire the certificate

You can do that using openssl like so (creates a file named ldapserver.pem):

openssl s_client -showcerts -connect {ldap server hostname}:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > ldapserver.pem

Trust the certificate

From the {contrast home} directory, you can either add the LDAP server's certificate to the default JRE Trust Store:

jre/bin/keytool -import -trustcacerts -alias ldapserver -file ldapserver.pem -keystore jre/lib/security/cacerts

(This assumes you're using the embedded JRE - if not then replace the paths as necessary to reference the cacerts file for JRE in use.)

Alternatively you can create a new Trust Store as in the following example, and import the certificate:

mkdir data/conf/ssl
jre/bin/keytool -import -alias ldapserver -file ldapserver.pem -keystore data/conf/ssl/truststore.jks

then reference the keystore in the bin/contrast-server.vmoptions file by adding the following lines:

-Djavax.net.ssl.trustStore=<full path to truststore>
-Djavax.net.ssl.trustStorePassword=<password you set for the trust store, if any>

 

Related articles

Powered by Zendesk