I have successfully configured my cloudbreak UI to authenticate logins with our AD servers using LDAP and that works fine. However when I try to use the LDAPS protocol, I get a certificate path error. I have imported my trust chain into the cacerts truststore AND used the update-ca-trust utility. But when I try to login the uaa.log shows an cert path exception (see below).
My questions are, what truststore is being used? What client cert is the LDAPS process presenting?
Thanks in advance.
[2019-03-28 16:53:17.378] cloudfoundry-identity-server - ???? [http-nio-8080-exec-4] .... ERROR --- UsernamePasswordAuthenticationFilter: org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed:
its-ad-ldap.it.example.com:636; nested exception is javax.naming.CommunicationException: simple bind failed:
its-ad-ldap.it.example.com:636, [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
LDAPS connection will not validate the server certificate. If you feel uncomfortable to use this attribute, you can also import the certificate to JVM's trust store in the identity container:
keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /etc/ssl/certs/java/cacerts -storepass changeit;
Your other options would be to either use a trusted certificate (assuming currently you have a self-signed cert) or adding the certificate to JVM's trust store in the identity container as I stated in my other reply.