Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Cloudbreak UI LDAPS Exception

Labels:
rt2357
Explorer

Created ‎03-29-2019 04:11 AM

I have successfully configured my cloudbreak UI to authenticate logins with our AD servers using LDAP and that works fine. However when I try to use the LDAPS protocol, I get a certificate path error. I have imported my trust chain into the cacerts truststore AND used the update-ca-trust utility. But when I try to login the uaa.log shows an cert path exception (see below).

My questions are, what truststore is being used? What client cert is the LDAPS process presenting?

Thanks in advance.


[2019-03-28 16:53:17.378] cloudfoundry-identity-server - ???? [http-nio-8080-exec-4] .... ERROR --- UsernamePasswordAuthenticationFilter: org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: its-ad-ldap.it.example.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: its-ad-ldap.it.example.com:636, [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]


1,366 Views
0 Kudos
6 REPLIES 6

dszabo
Cloudera Employee

Created ‎04-01-2019 01:52 PM

Hi,


Please add the following property to your uaa-changes.yml file:

ldap:
  ssl:
    skipverification: "true"
1,228 Views
0 Kudos

rt2357
Explorer

Created ‎04-01-2019 02:14 PM

What does that do? Feels vulnerable.

1,228 Views
0 Kudos

dszabo
Cloudera Employee

Created ‎04-01-2019 02:19 PM

LDAPS connection will not validate the server certificate. If you feel uncomfortable to use this attribute, you can also import the certificate to JVM's trust store in the identity container:

keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /etc/ssl/certs/java/cacerts -storepass changeit;


1,228 Views
0 Kudos

dszabo
Cloudera Employee

Created ‎04-02-2019 12:09 PM

You might also add the certificate alias to you uaa-changes.yml file: https://github.com/cloudfoundry/uaa/blob/releases/3.6.14/uaa/src/main/resources/uaa.yml#L91

1,228 Views
0 Kudos

rt2357
Explorer

Created ‎04-01-2019 03:14 PM

Found it...not ideal...

ssl: {

  • skipverification: {
    • *value: "<uaa.ldap.ssl.skipverification>",
    • *sources: {
      • uaa.ldap.ssl.skipverification: "Set to true, and LDAPS connection will not validate the server certificate."
    • }
  • },
1,228 Views
0 Kudos

dszabo
Cloudera Employee

Created ‎04-01-2019 04:33 PM

Your other options would be to either use a trusted certificate (assuming currently you have a self-signed cert) or adding the certificate to JVM's trust store in the identity container as I stated in my other reply.

1,228 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud: May 2023 Release Summary
What's New @ Cloudera
Cloudera Operational Database (COD) provides enhancements to the --scale-type CDP CLI option
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
View More Announcements