Wednesday, June 24, 2015

How to handle ldap certificate exception with WSO2 carbon server

WSO2 Identity product can be configured to use external ldap as a primary or secondary user store. You can follow the document to learn more about configuring ldap.


After configuring the ldap and during server startup, you may experience the following handshake error message

TID: [0] [IS] [2015-06-24 08:29:51,120] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} -  Error obtaining connection.Trying again to get connection...  {org.wso2.carbon.user.core.ldap.LDAPConnectionContext}
javax.naming.CommunicationException: ldap.wso2.org:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
        at com.sun.jndi.ldap.Connection.(Connection.java:226)
        at com.sun.jndi.ldap.LdapClient.(LdapClient.java:136)
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1608)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698)
        at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:316)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
        at javax.naming.InitialContext.init(InitialContext.java:242)
        at javax.naming.InitialContext.(InitialContext.java:216)
        at javax.naming.directory.InitialDirContext.(InitialDirContext.java:101)
        at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:160)

In order to solve this issue, you have to import the public key of the ldap in to the client-trustore,jks(CARBON_HOME/repository/resources/security).

You can obtain the ldap's public certificate by executing following command

echo -n | openssl s_client -connect ldap.wso2.org:3269 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.crt

 Later you can import the cer file in to client-truststore.jks to be used by WSO2 carbon products

keytool -import -trustcacerts -alias ldapcert -file ldapserver.crt -keystore client-truststore.jks

You can validate the certificate by running following command

  keytool -list -keystore client-truststore.jks -alias ldapcert


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)