External LDAP Authentication test Failed - PKIX path building failed

By: Thomas Maerz user 18 Feb 2018 at 5:16 p.m. CST

6 Responses
Thomas Maerz gravatar
Following the same steps a in 2.4.3, I am adding our Active Directory LDAP server as the authentication source for Gluu. Cache refresh is pointed at the same LDAP server and is working as expected. LDAP without SSL on 389 works fine, but we need to have the passwords encrypted. After entering the LDAP server details, the test button reports failure and oxtrust_persistence.log says: ``` 2018-02-18 23:09:28,896 INFO [qtp474675244-11] [org.gluu.site.ldap.LDAPConnectionProvider] (LDAPConnectionProvider.java:240) - Attempting to use older SSL protocols com.unboundid.ldap.sdk.LDAPBindException: An error occurred while attempting to send the LDAP message to server dc1.brewerscience.com:636: SSLHandshakeException(message='sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target', trace='getSSLException(Alerts.java:192) / fatal(SSLSocketImpl.java:1949) / fatalSE(Handshaker.java:302) / fatalSE(Handshaker.java:296) / serverCertificate(ClientHandshaker.java:1509) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:979) / process_record(Handshaker.java:914) / readRecord(SSLSocketImpl.java:1062) / performInitialHandshake(SSLSocketImpl.java:1375) / writeRecord(SSLSocketImpl.java:747) / write(AppOutputStream.java:123) / flushBuffer(BufferedOutputStream.java:82) / flush(BufferedOutputStream.java:140) / sendMessage(LDAPConnectionInternals.java:543) / sendMessage(LDAPConnection.java:4249) / process(SimpleBindRequest.java:551) / bind(LDAPConnection.java:2143) / createConnection(LDAPConnectionPool.java:1268) / createConnection(LDAPConnectionPool.java:1178) / <init>(LDAPConnectionPool.java:1115) / <init>(LDAPConnectionPool.java:997) / <init>(LDAPConnectionPool.java:934) / <init>(LDAPConnectionPool.java:877) / <init>(LDAPConnectionPool.java:792) / createConnectionPoolImpl(LDAPConnectionProvider.java:229) / createConnectionPoolWithWaitImpl(LDAPConnectionProvider.java:199) / init(LDAPConnectionProvider.java:148) / <init>(LDAPConnectionProvider.java:69) / testLdapConnection(ManagePersonAuthenticationAction.java:342) / testLdapConnection$$super(null:unknown) / invoke0(NativeMethodAccessorImpl.java:native) / invoke(NativeMethodAccessorImpl.java:62) / invoke(DelegatingMethodAccessorImpl.java:43) / invoke(Method.java:498) / proceedInternal(TerminalAroundInvokeInvocationContext.java:51) / proceed(AroundInvokeInvocationContext.java:78) / invoke(SecurityInterceptor.java:55) / invoke(null:unknown) / invoke(DelegatingMethodAccessorImpl.java:43) / invoke(Method.java:498) / invoke(SimpleInterceptorInvocation.java:73) / executeAroundInvoke(InterceptorMethodHandler.java:85) / executeInterception(InterceptorMethodHandler.java:73) / invoke(InterceptorMethodHandler.java:57) / invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:79) / invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:68) / testLdapConnection(null:unknown) / invoke0(NativeMethodAccessorImpl.java:native) / invoke(NativeMethodAccessorImpl.java:62) / invoke(DelegatingMethodAccessorImpl.java:43) / invoke(Method.java:498) / invoke(AstValue.java:247) / invoke(MethodExpressionImpl.java:267) / invoke(ForwardingMethodExpression.java:40) / invoke(WeldMethodExpression.java:50) / invoke(TagMethodExpression.java:105) / invoke(MethodBindingMethodExpressionAdapter.java:87) / processAction(ActionListenerImpl.java:102) / broadcast(UICommand.java:315) / broadcast(RowKeyContextEventWrapper.java:104) / broadcast(UIDataAdaptor.java:456) / broadcastEvents(UIViewRoot.java:790) / processApplication(UIViewRoot.java:1282) / execute(InvokeApplicationPhase.java:81) / doPhase(Phase.java:101) / execute(LifecycleImpl.java:198) / service(FacesServlet.java:658) / handle(ServletHolder.java:837) / doFilter(ServletHandler.java:1772) / doFilter(RewriteFilter.java:226) / doFilter(ServletHandler.java:1759) / doHandle(ServletHandler.java:582) / handle(ScopedHandler.java:143) / handle(SecurityHandler.java:566) / doHandle(SessionHandler.java:226) / doHandle(ContextHandler.java:1180) / doScope(ServletHandler.java:512) / doScope(SessionHandler.java:185) / doScope(ContextHandler.java:1112) / handle(ScopedHandler.java:141) / forward(Dispatcher.java:199) / forward(Dispatcher.java:74) / handleResult(HttpRewriteResultHandler.java:42) / rewrite(RewriteFilter.java:297) / doFilter(RewriteFilter.java:198) / doFilter(ServletHandler.java:1759) / doHandle(ServletHandler.java:582) / handle(ScopedHandler.java:143) / handle(SecurityHandler.java:548) / doHandle(SessionHandler.java:226) / doHandle(ContextHandler.java:1180) / doScope(ServletHandler.java:512) / doScope(SessionHandler.java:185) / doScope(ContextHandler.java:1112) / handle(ScopedHandler.java:141) / handle(ContextHandlerCollection.java:213) / handle(HandlerCollection.java:119) / handle(HandlerWrapper.java:134) / handle(Server.java:534) / handle(HttpChannel.java:320) / onFillable(HttpConnection.java:251) / succeeded(AbstractConnection.java:283) / fillable(FillInterest.java:110) / run(SelectChannelEndPoint.java:93) / executeProduceConsume(ExecuteProduceConsume.java:303) / produceConsume(ExecuteProduceConsume.java:148) / run(ExecuteProduceConsume.java:136) / runJob(QueuedThreadPool.java:671) / run(QueuedThreadPool.java:589) / run(Thread.java:745)', cause=ValidatorException(message='PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target', trace='doBuild(PKIXValidator.java:387) / engineValidate(PKIXValidator.java:292) / validate(Validator.java:260) / validate(X509TrustManagerImpl.java:324) / checkTrusted(X509TrustManagerImpl.java:229) / checkServerTrusted(X509TrustManagerImpl.java:105) / checkServerTrusted(TrustStoreTrustManager.java:361) / checkServerTrusted(SSLContextImpl.java:984) / serverCertificate(ClientHandshaker.java:1491) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:979) / process_record(Handshaker.java:914) / readRecord(SSLSocketImpl.java:1062) / performInitialHandshake(SSLSocketImpl.java:1375) / writeRecord(SSLSocketImpl.java:747) / write(AppOutputStream.java:123) / flushBuffer(BufferedOutputStream.java:82) / flush(BufferedOutputStream.java:140) / sendMessage(LDAPConnectionInternals.java:543) / sendMessage(LDAPConnection.java:4249) / process(SimpleBindRequest.java:551) / bind(LDAPConnection.java:2143) / createConnection(LDAPConnectionPool.java:1268) / createConnection(LDAPConnectionPool.java:1178) / <init>(LDAPConnectionPool.java:1115) / <init>(LDAPConnectionPool.java:997) / <init>(LDAPConnectionPool.java:934) / <init>(LDAPConnectionPool.java:877) / <init>(LDAPConnectionPool.java:792) / createConnectionPoolImpl(LDAPConnectionProvider.java:229) / createConnectionPoolWithWaitImpl(LDAPConnectionProvider.java:199) / init(LDAPConnectionProvider.java:148) / <init>(LDAPConnectionProvider.java:69) / testLdapConnection(ManagePersonAuthenticationAction.java:342) / testLdapConnection$$super(null:unknown) / invoke0(NativeMethodAccessorImpl.java:native) / invoke(NativeMethodAccessorImpl.java:62) / invoke(DelegatingMethodAccessorImpl.java:43) / invoke(Method.java:498) / proceedInternal(TerminalAroundInvokeInvocationContext.java:51) / proceed(AroundInvokeInvocationContext.java:78) / invoke(SecurityInterceptor.java:55) / invoke(null:unknown) / invoke(DelegatingMethodAccessorImpl.java:43) / invoke(Method.java:498) / invoke(SimpleInterceptorInvocation.java:73) / executeAroundInvoke(InterceptorMethodHandler.java:85) / executeInterception(InterceptorMethodHandler.java:73) / invoke(InterceptorMethodHandler.java:57) / invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:79) / invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:68) / testLdapConnection(null:unknown) / invoke0(NativeMethodAccessorImpl.java:native) / invoke(NativeMethodAccessorImpl.java:62) / invoke(DelegatingMethodAccessorImpl.java:43) / invoke(Method.java:498) / invoke(AstValue.java:247) / invoke(MethodExpressionImpl.java:267) / invoke(ForwardingMethodExpression.java:40) / invoke(WeldMethodExpression.java:50) / invoke(TagMethodExpression.java:105) / invoke(MethodBindingMethodExpressionAdapter.java:87) / processAction(ActionListenerImpl.java:102) / broadcast(UICommand.java:315) / broadcast(RowKeyContextEventWrapper.java:104) / broadcast(UIDataAdaptor.java:456) / broadcastEvents(UIViewRoot.java:790) / processApplication(UIViewRoot.java:1282) / execute(InvokeApplicationPhase.java:81) / doPhase(Phase.java:101) / execute(LifecycleImpl.java:198) / service(FacesServlet.java:658) / handle(ServletHolder.java:837) / doFilter(ServletHandler.java:1772) / doFilter(RewriteFilter.java:226) / doFilter(ServletHandler.java:1759) / doHandle(ServletHandler.java:582) / handle(ScopedHandler.java:143) / handle(SecurityHandler.java:566) / doHandle(SessionHandler.java:226) / doHandle(ContextHandler.java:1180) / doScope(ServletHandler.java:512) / doScope(SessionHandler.java:185) / doScope(ContextHandler.java:1112) / handle(ScopedHandler.java:141) / forward(Dispatcher.java:199) / forward(Dispatcher.java:74) / handleResult(HttpRewriteResultHandler.java:42) / rewrite(RewriteFilter.java:297) / doFilter(RewriteFilter.java:198) / doFilter(ServletHandler.java:1759) / doHandle(ServletHandler.java:582) / handle(ScopedHandler.java:143) / handle(SecurityHandler.java:548) / doHandle(SessionHandler.java:226) / doHandle(ContextHandler.java:1180) / doScope(ServletHandler.java:512) / doScope(SessionHandler.java:185) / doScope(ContextHandler.java:1112) / handle(ScopedHandler.java:141) / handle(ContextHandlerCollection.java:213) / handle(HandlerCollection.java:119) / handle(HandlerWrapper.java:134) / handle(Server.java:534) / handle(HttpChannel.java:320) / onFillable(HttpConnection.java:251) / succeeded(AbstractConnection.java:283) / fillable(FillInterest.java:110) / run(SelectChannelEndPoint.java:93) / executeProduceConsume(ExecuteProduceConsume.java:303) / produceConsume(ExecuteProduceConsume.java:148) / run(ExecuteProduceConsume.java:136) / runJob(QueuedThreadPool.java:671) / run(QueuedThreadPool.java:589) / run(Thread.java:745)', cause=SunCertPathBuilderException(message='unable to find valid certification path to requested target', trace='build(SunCertPathBuilder.java:141) / engineBuild(SunCertPathBuilder.java:126) / build(CertPathBuilder.java:280) / doBuild(PKIXValidator.java:382) / engineValidate(PKIXValidator.java:292) / validate(Validator.java:260) / validate(X509TrustManagerImpl.java:324) / checkTrusted(X509TrustManagerImpl.java:229) / checkServerTrusted(X509TrustManagerImpl.java:105) / checkServerTrusted(TrustStoreTrustManager.java:361) / checkServerTrusted(SSLContextImpl.java:984) / serverCertificate(ClientHandshaker.java:1491) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:979) / process_record(Handshaker.java:914) / readRecord(SSLSocketImpl.java:1062) / performInitialHandshake(SSLSocketImpl.java:1375) / writeRecord(SSLSocketImpl.java:747) / write(AppOutputStream.java:123) / flushBuffer(BufferedOutputStream.java:82) / flush(BufferedOutputStream.java:140) / sendMessage(LDAPConnectionInternals.java:543) / sendMessage(LDAPConnection.java:4249) / process(SimpleBindRequest.java:551) / bind(LDAPConnection.java:2143) / createConnection(LDAPConnectionPool.java:1268) / createConnection(LDAPConnectionPool.java:1178) / <init>(LDAPConnectionPool.java:1115) / <init>(LDAPConnectionPool.java:997) / <init>(LDAPConnectionPool.java:934) / <init>(LDAPConnectionPool.java:877) / <init>(LDAPConnectionPool.java:792) / createConnectionPoolImpl(LDAPConnectionProvider.java:229) / createConnectionPoolWithWaitImpl(LDAPConnectionProvider.java:199) / init(LDAPConnectionProvider.java:148) / <init>(LDAPConnectionProvider.java:69) / testLdapConnection(ManagePersonAuthenticationAction.java:342) / testLdapConnection$$super(null:unknown) / invoke0(NativeMethodAccessorImpl.java:native) / invoke(NativeMethodAccessorImpl.java:62) / invoke(DelegatingMethodAccessorImpl.java:43) / invoke(Method.java:498) / proceedInternal(TerminalAroundInvokeInvocationContext.java:51) / proceed(AroundInvokeInvocationContext.java:78) / invoke(SecurityInterceptor.java:55) / invoke(null:unknown) / invoke(DelegatingMethodAccessorImpl.java:43) / invoke(Method.java:498) / invoke(SimpleInterceptorInvocation.java:73) / executeAroundInvoke(InterceptorMethodHandler.java:85) / executeInterception(InterceptorMethodHandler.java:73) / invoke(InterceptorMethodHandler.java:57) / invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:79) / invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:68) / testLdapConnection(null:unknown) / invoke0(NativeMethodAccessorImpl.java:native) / invoke(NativeMethodAccessorImpl.java:62) / invoke(DelegatingMethodAccessorImpl.java:43) / invoke(Method.java:498) / invoke(AstValue.java:247) / invoke(MethodExpressionImpl.java:267) / invoke(ForwardingMethodExpression.java:40) / invoke(WeldMethodExpression.java:50) / invoke(TagMethodExpression.java:105) / invoke(MethodBindingMethodExpressionAdapter.java:87) / processAction(ActionListenerImpl.java:102) / broadcast(UICommand.java:315) / broadcast(RowKeyContextEventWrapper.java:104) / broadcast(UIDataAdaptor.java:456) / broadcastEvents(UIViewRoot.java:790) / processApplication(UIViewRoot.java:1282) / execute(InvokeApplicationPhase.java:81) / doPhase(Phase.java:101) / execute(LifecycleImpl.java:198) / service(FacesServlet.java:658) / handle(ServletHolder.java:837) / doFilter(ServletHandler.java:1772) / doFilter(RewriteFilter.java:226) / doFilter(ServletHandler.java:1759) / doHandle(ServletHandler.java:582) / handle(ScopedHandler.java:143) / handle(SecurityHandler.java:566) / doHandle(SessionHandler.java:226) / doHandle(ContextHandler.java:1180) / doScope(ServletHandler.java:512) / doScope(SessionHandler.java:185) / doScope(ContextHandler.java:1112) / handle(ScopedHandler.java:141) / forward(Dispatcher.java:199) / forward(Dispatcher.java:74) / handleResult(HttpRewriteResultHandler.java:42) / rewrite(RewriteFilter.java:297) / doFilter(RewriteFilter.java:198) / doFilter(ServletHandler.java:1759) / doHandle(ServletHandler.java:582) / handle(ScopedHandler.java:143) / handle(SecurityHandler.java:548) / doHandle(SessionHandler.java:226) / doHandle(ContextHandler.java:1180) / doScope(ServletHandler.java:512) / doScope(SessionHandler.java:185) / doScope(ContextHandler.java:1112) / handle(ScopedHandler.java:141) / handle(ContextHandlerCollection.java:213) / handle(HandlerCollection.java:119) / handle(HandlerWrapper.java:134) / handle(Server.java:534) / handle(HttpChannel.java:320) / onFillable(HttpConnection.java:251) / succeeded(AbstractConnection.java:283) / fillable(FillInterest.java:110) / run(SelectChannelEndPoint.java:93) / executeProduceConsume(ExecuteProduceConsume.java:303) / produceConsume(ExecuteProduceConsume.java:148) / run(ExecuteProduceConsume.java:136) / runJob(QueuedThreadPool.java:671) / run(QueuedThreadPool.java:589) / run(Thread.java:745)', revision=24201), revision=24201), revision=24201) at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1289) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:1115) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:997) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:934) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:877) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:792) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at org.gluu.site.ldap.LDAPConnectionProvider.createConnectionPoolImpl(LDAPConnectionProvider.java:229) [oxcore-ldap-3.1.2.Final.jar:?] at org.gluu.site.ldap.LDAPConnectionProvider.createConnectionPoolWithWaitImpl(LDAPConnectionProvider.java:199) [oxcore-ldap-3.1.2.Final.jar:?] at org.gluu.site.ldap.LDAPConnectionProvider.init(LDAPConnectionProvider.java:148) [oxcore-ldap-3.1.2.Final.jar:?] at org.gluu.site.ldap.LDAPConnectionProvider.<init>(LDAPConnectionProvider.java:69) [oxcore-ldap-3.1.2.Final.jar:?] at org.gluu.oxtrust.action.ManagePersonAuthenticationAction.testLdapConnection(ManagePersonAuthenticationAction.java:342) [classes/:?] at org.gluu.oxtrust.action.ManagePersonAuthenticationAction$Proxy$_$$_WeldSubclass.testLdapConnection$$super(Unknown Source) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_112] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_112] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.xdi.service.security.SecurityInterceptor.invoke(SecurityInterceptor.java:55) [oxcore-service-3.1.2.Final.jar:?] at sun.reflect.GeneratedMethodAccessor137.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:73) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.executeAroundInvoke(InterceptorMethodHandler.java:85) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.executeInterception(InterceptorMethodHandler.java:73) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(InterceptorMethodHandler.java:57) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecoratorStackMethodHandler.invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:79) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecoratorStackMethodHandler.invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:68) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.gluu.oxtrust.action.ManagePersonAuthenticationAction$Proxy$_$$_WeldSubclass.testLdapConnection(Unknown Source) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_112] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_112] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.apache.el.parser.AstValue.invoke(AstValue.java:247) [org.mortbay.jasper.apache-el-8.0.33.jar:8.0.33] at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:267) [org.mortbay.jasper.apache-el-8.0.33.jar:8.0.33] at org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) [weld-web-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-web-3.0.0.Final.jar:3.0.0.Final] at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [jsf-impl-2.2.14.jar:2.2.14] at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:87) [jsf-api-2.2.14.jar:2.2] at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) [jsf-impl-2.2.14.jar:2.2.14] at javax.faces.component.UICommand.broadcast(UICommand.java:315) [jsf-api-2.2.14.jar:2.2] at org.richfaces.component.RowKeyContextEventWrapper.broadcast(RowKeyContextEventWrapper.java:104) [richfaces-a4j-4.5.17.Final.jar:4.5.17.Final] at org.richfaces.component.UIDataAdaptor.broadcast(UIDataAdaptor.java:456) [richfaces-a4j-4.5.17.Final.jar:4.5.17.Final] at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790) [jsf-api-2.2.14.jar:2.2] at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282) [jsf-api-2.2.14.jar:2.2] at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) [jsf-impl-2.2.14.jar:2.2.14] at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.2.14.jar:2.2.14] at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) [jsf-impl-2.2.14.jar:2.2.14] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:658) [jsf-api-2.2.14.jar:2.2] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:837) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:226) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:566) [jetty-security-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:199) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:74) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(HttpRewriteResultHandler.java:42) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(RewriteFilter.java:297) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:198) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Server.handle(Server.java:534) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] ``` I have attempted to add the CA public certificate for my active directory to the java keystore as follows: ``` /opt/jre/jre/bin/keytool -importcert -file bsiadca.crt -keystore /opt/jre/jre/lib/security/cacerts -alias brewerscience-ad-ca -storepass changeit ``` but I still get the same error after this. Am I on the right track here with looking at self-signed external LDAP certificate trust as the cause of this? Is there a known good process for trusting external LDAP certificate?
Ubuntu 16.04
closed

Answers

By Thomas Gasmyr Mougang staff 18 Feb 2018 at 7:42 p.m. CST

Copy
Thomas Gasmyr Mougang gravatar
Hi **Thomas**, This is definitely an SSL error and as per my knowledge you are on the right track. If you have more than one java version installed on you instance, make sure you are adding the certificate to the correct key store(the one inside Gluu container) and restart the VM then. This [link](https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html?_ga=2.165593983.1328029705.1519002792-108691902.1517113592) provide a more explained set of solutions to that issue. Let us know if that has help you. Thanks!

By Aliaksandr Samuseu staff 19 Feb 2018 at 9:10 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Thomas and Gasmyr. As I've met this exact issue just recently, I thought I'll share my solution. In recent packages, file `/etc/gluu/conf/ox-ldap.properties` now has new lines specifying truststore to use for resolving trust-related issues when connecting to LDAP servers. Next lines, specifically: ``` ssl.trustStoreFile: /etc/certs/openldap.pkcs12 ssl.trustStorePin: lhP4viwRWosMutqKDnvS1A== ssl.trustStoreFormat: pkcs12 ``` You can try to either remove those lines completely, or add your remote LDAP server's cert to this truststore. Restart `oxauth` and `oxtrust` services in both cases then and see whether this will help. Both ways resolve such issues in my setup.

By Thomas Gasmyr Mougang staff 21 Feb 2018 at 1:42 a.m. CST

Copy
Thomas Gasmyr Mougang gravatar
Hi Thomas, Still need assistance?

By David Franzkoch user 21 Mar 2018 at 3:44 a.m. CDT

Copy
David Franzkoch gravatar
I can confirm this. It seems Cache Refresh uses different trust stores by default than LDAP Authentication. Had the same issue as the original poster: Cache Refresh worked with LDAP over SSL, while LDAP authentication did not. I use "official" certs on my LDAP server, which made Cache Refresh work directly out of the box. Could not get LDAP authentication to work. Solution: I commented out these lines in /etc/gluu/conf/ox-ldap.properties ``` #ssl.trustStoreFile: /etc/certs/opendj.pkcs12 #ssl.trustStorePin: xxxxxxxxxxxx #ssl.trustStoreFormat: pkcs12 ``` and rebootet the server. Now LDAP authentication seems to fall back on the same trust store Cache Refresh uses (?). Anyhow: it works now!

By Thomas Maerz user 05 Jul 2018 at 3:44 p.m. CDT

Copy
Thomas Maerz gravatar
I went through the process of adding my AD CS CA root certificate to the opendj.pkcs12 java truststore, but the keystore password found in /etc/gluu/conf/ox-ldap.properties doesn't work, nor does the one in setup.properties.last, nor does changeit. Do you know what the password for this keystore is, or where I am supposed to be able to find it? I am just using the workaround for now, but that is less than ideal because it leaves the system open for swapping out LDAP servers as an attack. (not very likely, but quite possible).

By Hal Hauk user 11 Feb 2019 at 8:25 p.m. CST

Copy
Hal Hauk gravatar
Old thread but in case it comes up, you can get the keystore password by grabbing the encoded trustStorePin from the config file and running: /opt/gluu/bin/encode.py -D '[trustStorePin value]'

Post an answer