LDAP over SSL fails with certificate exception
Problem
When trying to use LDAP over SSL, the following error appears when trying to create/update an LDAP directory:
javax.naming.CommunicationException: simple bind failed: myactivedirectoryurl.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]Solution
The certificates that make sure the Java Virtual Machine trusts the SSL certificate of the LDAP/AD server must be imported into the Java Keystore. Here's how to do it for the default iGrafx Platform Predeployed version
The steps to get the right certificate in the right place are to first download the intermediate and root certificates as .cer files (X.509) into a location on the server that is running Tomcat. How to get these certificates is depends on the customers network and policies.
We then need to add the certificates to the Java cacerts keystore (that’s the key/trust store our application servers to determine trust and validate certificates).
After getting the certificates, we are assuming the following (adjust the paths as necessary):
The platform is located in C:\iGrafxPlatform
Your certificate files have been copied to C:\iGrafxPlatform\jdk-11.0.4\lib\security
Open a command line and go to the directory containing your certificate files.
For each certificate, add the certificate to the default Java Keystore using this command:
..\..\bin\keytool.exe –import –trustcacerts –alias %ALIAS_NAME% -file %CERT_FILE% -storepass changeit –keystore cacerts
The ALIAS_NAME needs to be unique for each of your CERT_FILE references. Probably using the file name without extension is easiest.
After adding all the certificates, restart the server and see if LDAP over SSL works.