When attempting to perform an LDAP Sync in order to add users and/or groups etc.using LDAP, the operation fails. An error is seen:
LDAP Server: ldaps://<ip address>
com.ibm.jsse2.ut=il.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathbuilderImpl could not build a valid CertPath.; internal cause is: javasecurity.cert.CertPathValidatorException: The certificate issued by O=MY_TREE,OU=Organizational CA is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
Sync status: Stopped due to an error
Changing the LDAP server URL from "ldaps://<ip address>" to "ldap://<ip address>" allows the LDAP Sync to complete successfully.
Correct the problem with the server certificate by replacing the old certificate with the new certificate.
In the Filr port 9443 Administration console > Digital Certificates > Key Store: JVM Certificates, examine the trusted certificate for the tree to which your LDAP configuration is pointing. Check the "Valid From" and "Valid To" dates. If the certificate is expired:
In iManager, export the server's certificate
1. NetIQ Certificate Server > Configure Certificate Authority > Certificates tab
2. Select the certificate in use e.g. "Self Signed Certificate RSA"
3. Click the "Export" button
4. Enter and Re-enter the password
- Ensure "Export private key" is checked
- Ensure that the Export format is PKCS12
5. Click "Next"
6. Click "Save the exported certificate"
7. Note the name and location of the exported certificate
In the Filr port 9443 Administration console > Digital Certificates > Key Store: JVM Certificates
1. Delete the existing, expired certificate
2. Click on File >Import > Import > Key Pair
3. Browse to the certificate file you saved from iManager
4. Provide an Alias
5. Enter the password
6. Click OK
Note: a restart is required for the changes to take effect
Expired server certificate.