In the case of connecting the IQ Server to a secure LDAP Server using SSL ( ldaps:// ), it is common for the LDAP server to be using a self-signed certificate that the JVM running CLM server does not yet trust. A common error message in this case is:
javax.naming.CommunicationException: your.ldaps.host:XXXX [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
In order to establish trust in this self-signed certificate, you have to import the LDAP SSL certificate into a keystore file and feed this file as the truststore to the IQ Server.
Here are the basic steps:
- Determine the Java install that IQ Server is using and locate the default truststore file included with Java. See our guide for how to determine the truststore file being used.
Make a copy of that cacerts file to the same directory where nexus-iq-server-<version>.jar is located. Name the copy nexus-iq-server-outbound.jks so that the purpose of this file is very clear. - Get the LDAPS server certificate and save it to a PEM encoded format text file - here is one way to do this using OpenSSL:
echo -n | openssl s_client -showcerts -connect ldaphost:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldaps.pem
- Import the LDAPS server PEM encoded certificate into the truststore that IQ Server will use:
keytool -importcert -file ldaps.pem -alias nexus-iq-server-ldaps-cert -trustcacerts -keystore nexus-iq-server-outbound.jks -storepass changeit
- Change the command used to launch IQ Server so that the new truststore is used, as specified by additional Java command line system properties:
-Djavax.net.ssl.trustStore=/<replace_with_absolute_full_path>/nexus-iq-server-outbound.jks -Djavax.net.ssl.trustStorePassword=changeit