2

Update: I never got this working over SSL. I ended up implementing a VPN in order to get the security.

I've been trubleshooting this problem for 2 days and cannot figure it out for the life of me. I've reviewed the following threads:

Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

https://stackoverflow.com/questions/14465089/ssl-connection-in-glassfish-3-1

Among many others.

UPDATE: Sorry, I didn't even post the error I'm getting. Here it is:

javax.naming.CommunicationException: simple bind failed: server.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

I'm also using GlassFish server 3.1.2 and NetBeans 7.3 on Win7 pro.

Here is the code that is causing the error:

Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://server.local:636/");

// Specify SSL
env.put(Context.SECURITY_PROTOCOL, "ssl");

// Fill in secuirty/bind variables
env.put(Context.SECURITY_AUTHENTICATION, "simple"); 
env.put(Context.SECURITY_PRINCIPAL, config.Config.getSECURITY_PRINCIPAL()); //returns user@domain.local
env.put(Context.SECURITY_CREDENTIALS, config.Config.getSECURITY_CREDENTIALS()); //returns password

// Create the initial context
ctx =  new InitialDirContext(env); //defined above as InitialDirContext ctx = null;

I have used ldp.exe to confirm that SSL is configured properly on our AD server. Furthermore, I've tried the following:

  1. Importing the client certificate (and the CA root certificate from AD CS) as outlined here

a. I used the following commands:

C:\Program Files (x86)\Java\jdk1.7.0_25>bin\keytool -import -file SBS2011.sage.local_sage-SBS2011-CA.crt -keystore .\jre\lib\security\cacerts -alias SBS2011
Enter keystore password:
Certificate already exists in keystore under alias <mykey>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

C:\Program Files (x86)\Java\jdk1.7.0_25>

  1. Uninstalling Java and reinstalling, then repeating step 1.

  2. Adding the following lines of code:

    System.setProperty("javax.net.ssl.trustStore", "C:\\Program Files (x86)\\Java\\jdk1.7.0_25\\jre\\lib\\security\\cacerts");

    System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

Other notes: the code works fine using non-SSL connection but then I get LDAP error 53 when trying to update user's information. In the end if there is a solution that involves not using SSL, I don't mind.

Community
  • 1
  • 1
acrawly
  • 443
  • 1
  • 6
  • 10

1 Answers1

4

Your truststore doesn't trust the LDAP server certificate.

Your step (3) above is the default.

If your LDAP server has a CA-signed certificate step (1) was unnecessary.

I don't know why you speak of 'client certificate' when it is the LDAP server's certificate you may need to import.

env.put(Context.PROVIDER_URL, "ldap://server.local:636/");

should be

env.put(Context.PROVIDER_URL, "ldaps://server.local:636/");
user207421
  • 305,947
  • 44
  • 307
  • 483
  • I added the code that I used to import the certificate, let me know if that is wrong? – acrawly Jun 28 '13 at 15:09
  • (1) Why does "Certificate already exist in keystore under alias "? (2) If this is supposed to be a CA certificate it should have asked you whether to trust it, as you didn't specify the -trustcaerts option. So there is still something wrong. And to don't need to import both the server certificate and its CA cert, just the latter. – user207421 Jun 28 '13 at 18:07
  • By certificate I mean the server's CA certificate. Previously I did do the same command and it asked if I wanted to import it. I said yes and it said 'successfully' imported but now everytime I attempt to import it says it's already there. – acrawly Jul 02 '13 at 14:13
  • It works for me. I still don't know why you're importing the same thing twice. You should delete it first if you think you did it wrongly. – user207421 Dec 10 '13 at 22:36