License Type | On-Premise |
Agent Mode | N/A |
Main Product Category | Contrast UI |
Sub Category | Authentication |
Issue
When configuring (secure) LDAP as the desired authentication method in your Contrast EOP System Settings, the Test Connection fails and the resulting log reports an error similar to the following:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Cause
The most likely cause of this error is that the secure LDAP server uses either a self-signed or privately-signed certificate. The Contrast EOP Server runs under Tomcat which is a Java Application Server and, by default, all JREs come with a set of trusted CAs that contains the usual commercial CA certificates - DigiCert, GlobalSign etc. If the LDAP server uses a certificate that is self-signed or is signed by an internal CA then the JVM will be unable to build the chain of trust, resulting in a handshaking failure when connecting.
Resolution
Acquire the certificate
You can do that using openssl like so (creates a file named ldapserver.pem):
openssl s_client -showcerts -connect {ldap server hostname}:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > ldapserver.pem
Trust the certificate
From the {contrast home} directory, you can either add the LDAP server's certificate to the default JRE Trust Store:
jre/bin/keytool -import -trustcacerts -alias ldapserver -file ldapserver.pem -keystore jre/lib/security/cacerts
(This assumes you're using the embedded JRE - if not then replace the paths as necessary to reference the cacerts file for JRE in use.)
Alternatively you can create a new Trust Store as in the following example, and import the certificate:
mkdir data/conf/ssl
jre/bin/keytool -import -alias ldapserver -file ldapserver.pem -keystore data/conf/ssl/truststore.jks
then reference the keystore in the bin/contrast-server.vmoptions
file by adding the following lines:
-Djavax.net.ssl.trustStore=<full path to truststore>
-Djavax.net.ssl.trustStorePassword=<password you set for the trust store, if any>