2

Update: I never got this working over SSL. I ended up implementing a VPN in order to get the security.

I've been trubleshooting this problem for 2 days and cannot figure it out for the life of me. I've reviewed the following threads:

Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

https://stackoverflow.com/questions/14465089/ssl-connection-in-glassfish-3-1

Among many others.

UPDATE: Sorry, I didn't even post the error I'm getting. Here it is:

javax.naming.CommunicationException: simple bind failed: server.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

I'm also using GlassFish server 3.1.2 and NetBeans 7.3 on Win7 pro.

Here is the code that is causing the error:

Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://server.local:636/");

// Specify SSL
env.put(Context.SECURITY_PROTOCOL, "ssl");

// Fill in secuirty/bind variables
env.put(Context.SECURITY_AUTHENTICATION, "simple"); 
env.put(Context.SECURITY_PRINCIPAL, config.Config.getSECURITY_PRINCIPAL()); //returns [email protected]
env.put(Context.SECURITY_CREDENTIALS, config.Config.getSECURITY_CREDENTIALS()); //returns password

// Create the initial context
ctx =  new InitialDirContext(env); //defined above as InitialDirContext ctx = null;

I have used ldp.exe to confirm that SSL is configured properly on our AD server. Furthermore, I've tried the following:

  1. Importing the client certificate (and the CA root certificate from AD CS) as outlined here

a. I used the following commands:

C:\Program Files (x86)\Java\jdk1.7.0_25>bin\keytool -import -file SBS2011.sage.local_sage-SBS2011-CA.crt -keystore .\jre\lib\security\cacerts -alias SBS2011
Enter keystore password:
Certificate already exists in keystore under alias <mykey>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

C:\Program Files (x86)\Java\jdk1.7.0_25>

  1. Uninstalling Java and reinstalling, then repeating step 1.

  2. Adding the following lines of code:

    System.setProperty("javax.net.ssl.trustStore", "C:\\Program Files (x86)\\Java\\jdk1.7.0_25\\jre\\lib\\security\\cacerts");

    System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

Other notes: the code works fine using non-SSL connection but then I get LDAP error 53 when trying to update user's information. In the end if there is a solution that involves not using SSL, I don't mind.

Improve this question
3
  • What is the exact error that you're getting? Commented Jun 27, 2013 at 16:51
  • I added an update above. Sorry I didn't mention that before. Commented Jun 27, 2013 at 22:43
  • how did you solved this ? Commented Jun 10, 2016 at 9:59

1 Answer 1

Reset to default
4

Your truststore doesn't trust the LDAP server certificate.

Your step (3) above is the default.

If your LDAP server has a CA-signed certificate step (1) was unnecessary.

I don't know why you speak of 'client certificate' when it is the LDAP server's certificate you may need to import.

env.put(Context.PROVIDER_URL, "ldap://server.local:636/");

should be

env.put(Context.PROVIDER_URL, "ldaps://server.local:636/");
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I added the code that I used to import the certificate, let me know if that is wrong?
(1) Why does "Certificate already exist in keystore under alias <mykey>"? (2) If this is supposed to be a CA certificate it should have asked you whether to trust it, as you didn't specify the -trustcaerts option. So there is still something wrong. And to don't need to import both the server certificate and its CA cert, just the latter.
By certificate I mean the server's CA certificate. Previously I did do the same command and it asked if I wanted to import it. I said yes and it said 'successfully' imported but now everytime I attempt to import it says it's already there.
It works for me. I still don't know why you're importing the same thing twice. You should delete it first if you think you did it wrongly.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.