The following error may occur when connecting the IQ Server running in Kubernetes to an LDAP server over SSL(ldaps).
javax.naming.CommunicationException:<host>:<port>
[Root exception is
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target]
An example:
To allow secure access to LDAP, you would need to configure a trust store containing the cert from the LDAP server in the service script used to start the IQ Server.
This article provides basic steps for IQ k8s deployment. These steps are adjusted from the article How to configure the IQ Server to trust an LDAP Server SSL certificate
1. IQ HA using Sonatype IQ HA helm chart
This article uses the IQ 179 HA helm chart template as an example and chooses
/sonatype-work/clm-cluster
(which is the default value of clusterDirectory)as the location to store the new trust store file. This location was chosen because all the pods share it, and we only need to run the steps below in one Pod.
1.1) Determine the Java install that IQ Server is using and locate the default trust store file included with Java. See our guide for how to determine the truststore file being used. By default, it's $JAVA_HOME/lib/security/cacerts
We can't directly import(write) the self-signed cert to the above location because the root user owns it with 444 permissions.
1.2) copy the cacerts file to the new location /sonatype-work/clm-cluster
export DIR="/sonatype-work/clm-cluster"
cp $JAVA_HOME/lib/security/cacerts $DIR/nexus-iq-server-outbound.jks
chmod 744 $DIR/nexus-iq-server-outbound.jks
1.3) Get a shell of one Pod (default container), get the LDAPS server certificate, and save it to a PEM encoded format text file - here is one way to do this using OpenSSL. It generates a $DIR/ldaps.pem file
echo -n | openssl s_client -showcerts -connect ldaphost:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $DIR/ldaps.pem
1.4) Import the LDAPS server PEM encoded certificate into the trust store that IQ Server will use:
keytool -importcert -file $DIR/ldaps.pem -alias nexus-iq-server-ldaps-cert -trustcacerts -keystore $DIR/nexus-iq-server-outbound.jks -storepass changeit
1.5) Important!!! Make a note of the Environment Viriable JAVA_OPTS's current value
echo $JAVA_OPTS
1.6) Append the below to JAVA_OPTS's original value and assign it to javaOpts in the HA helm chart's values.yaml file. (Note: please don't override JAVA_OPTS with the below value; please append it to its original value. The original value may contain essential parameters used by IQ running with Java 17)
-Djavax.net.ssl.trustStore=/sonatype-work/clm-cluster/nexus-iq-server-outbound.jks -Djavax.net.ssl.trustStorePassword=changeit
Assume JAVA_OPTS's original value is: -Djava.util.prefs.userRoot=/sonatype-work/javaprefs
javaOpts: "-Djava.util.prefs.userRoot=/sonatype-work/javaprefs -Djavax.net.ssl.trustStore=/sonatype-work/clm-cluster/nexus-iq-server-outbound.jks -Djavax.net.ssl.trustStorePassword=changeit"
1.7) Upgrade your helm release
helm upgrade
2. IQ running in K8s without using the HA helm chart
If your IQ runs in a K8s environment(non-HA) deployed by your template, follow the steps in 1 with the changes below.
2.1) choose a different location for the trust store file
export DIR="/opt/sonatype/nexus-iq-server"
2.2) In Kubernetes, you'll need to pass this in via an environment variable in the deployment file:
env:
- name: JAVA_OPTS
value: "<JAVA_OPTS's original value> -Djavax.net.ssl.trustStore=/opt/sonatype/nexus-iq-server/nexus-iq-server-outbound.jks -Djavax.net.ssl.trustStorePassword=changeit"
Reference:
https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/