IDM 4.5.x RBPM - Unable to read User Application configuration ... simple bind failed ... javax.net.ssl.SSLHandshakeException

  • 7018047
  • 13-Sep-2016
  • 13-Sep-2016

Environment


NetIQ Identity Manager Roles Based Provisioning Module 4.5

Situation

The following error is received in the catalina.out file after restarting Tomcat.

Message: Unable to read User Application configuration (user: CN=admin,O=novell host: 1.1.1.1 port: 636 TLS/SSL: true base DN: cn=UserApplication,cn=Driver Set,ou=services,o=novell)
javax.naming.CommunicationException: simple bind failed: 1.1.1.1:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
    at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
.....

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

Resolution

Here are the most common reasons this error is received.

1.  One or both of the eDirectory certificates have expired.   Verify the certificate the LDAP Server is using (SSL CertificateDNS by default) is valid and has not expired, and that the Certificate Authority has not expired.


2.  Time is out of sync between the User Application server and eDirectory server.
 
3.  Configupdate Keystore path to cacerts file is not correct or cacerts file was not selected.
Make sure that the cacerts file tomcat is using is selected and that the ldap server certificate is stored in that file.     /opt/netiq/idm/jre/lib/security/cacerts, by default.   To import the certificate into that file, browse the tree in configupdate, then save the changes.   It should update the certificate when you browse the tree.  Then restart tomcat.


Feedback service temporarily unavailable. For content questions or problems, please contact Support.