cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Unknown certificate error when testing LDAP SSL connection

Former Member

on ‎2010 Feb 09 4:01 PM

0 Kudos
1,873

Hello Experts,

We are configuring the sell-side directory using a Microsoft Active Directory LDAP for authentication and password functions and are trying to configure SSL over port 636. When doing the connection test from the directory configuration screen, we get the following error in the E-Sourcing log file:

'simple bind failed: hostname.domain.com:636. Root exception is javax.net.ssl.SSLHandshakeException: unknown certificate'

We are running ESO 5.1.03 on a NetWeaver 7.0 (SPS15) AIX 6.1 Unix server and the MS AD LDAP is on a Windows server.

We have imported a certificate from the MS Active Directory LDAP server into the Java KeyStore TrustedCAs view. Is this the correct place to import the certificate? Any ideas why it would find an unknown certificate?

The connection (and user login authentication) works fine over port 389 without SSL, but we need SSL for the password change functions and to create new sell-side users in the LDAP. Any help would be appreciated.

WL

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎2010 Feb 17 5:13 PM
0 Kudos

Hi Greg,

Glad to hear your connection is now working. Did you import the .PEM file into the cacerts file using the keytool -import command? Were there any other files you had to import into cacerts to get it to work?

WL

Show replies
Show replies
Former Member
‎2010 Feb 17 5:51 PM
0 Kudos

Just the cacerts file and the NetWeaver Keystorage (via Visual Adminstrator). The PEM format made all the difference.

Thanks for your help.

Cheers,

Greg

Former Member
‎2010 Feb 12 6:58 PM
0 Kudos

Hi Greg,

Yes, the key was imported in to the $JAVA_HOME/jre/lib/security cacerts file using the keytool -import command with the -trustcacerts parameter. Did you get a "Trust this certificate?" prompt when you imported it? If so, answer 'yes' before continuing. On Unix it prompts if you want to trust it before adding it to the keystore. I'm not sure how this works on Windows.

We were getting an 'unknown certificate' error. You are getting "No trusted certificate found". Could it be that it's finding a certificate but doesn't trust it?

WL

Show replies
Show replies
Former Member
‎2010 Feb 13 4:54 AM
0 Kudos

Thanks Wayne.

You put me on the right track, I missed the -trustcacerts flag when importing the certificate which got me looking further into the keytool command. That is when I discovered that I needed to export my CA Trust as a p7b (Windows Certificate Services) convert that to PEM format and then import. Link: [Identity Trusts|http://download.oracle.com/docs/cd/E13222_01/wls/docs92/secmanage/identity_trust.html#wp1194789]

Previously I downloaded the CA certificate as a CER file and was attempting to use that file. The CER worked with JBoss, but NetWeaver was more picky.

Long and the short of it, the connection to LDAP is now working.

Thanks again.

Greg

Former Member
‎2010 Feb 09 9:59 PM
0 Kudos

Fixed. The certificate also had to be added to cacerts at the Unix command line.

Show replies
Show replies
Former Member
‎2010 Feb 11 10:13 PM
0 Kudos

Hi Wayne,

Which cacerts file did you import the key into? Was it in JAVA_HOME/jre/lib/security?

I am in a very similar situation except I am running NW 7.0 on Windows Server 2003. I have imported the certificate into TrustedCA's on the server and within NW's TrustedCAs. I have also imported the certificate into the Java_Home cacerts file. However, I am still experiencing an error.

Error:

"Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found"

Is there anywhere else that I need to establish trust?

Thanks,

Greg

Ask a Question
Top Q&A Solution Author
View all