Overview
You are configuring the SSL LDAP on the Aurea Monitor Manager Server (AMS) console in order to be able to use external authentication. You have imported the certificate under Trusted Certificate Authorities of the Application Server using the GUI and then tried to configure the Microsoft (MS) LDAP under External Directories.
Below error occurs when you try to save SSL configuration or when you try to log in from Intermediary:
Thread-39, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
JsseListener1-15, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2020/08/28 09:44:39.471 FAIL!! JsseListener1-15 Superuser/Superuser APPLICATION null APPL0060: Plugin initialization exception
DS0009: An LDAP exception has been raised: simple bind failed: xxxx.ad.xxxx.com:636
javax.naming.CommunicationException: simple bind failed: xxxx.ad.xxxx.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.actional.soapstation.security.SecurityPluginMgr.initPluginInstance(SecurityPluginMgr.java:304)
at com.actional.soapstation.db.JavaPluginManager.validate(JavaPluginManager.java:330)
at com.actional.soapstation.task.DirectoryServiceTask.validateUserDirectory(DirectoryServiceTask.java:339)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.actional.APISessionFacade$Handler$1.invokeNext(APIFactory.java:734)
at com.actional.config.ConfigMgrProxy.invoke(ConfigMgrProxy.java:51)
at com.actional.APISessionFacade$Handler$1.invokeNext(APIFactory.java:728)
at com.actional.AuditSessionProxy.invoke(AuditSessionProxy.java:67)
at com.actional.APISessionFacade$Handler$1.invokeNext(APIFactory.java:728)
at com.actional.LogExceptionSession$Proxy.invoke(LogExceptionSession.java:141)
at com.actional.APISessionFacade$Handler$1.invokeNext(APIFactory.java:728)
at com.actional.AsyncCallSession$Proxy.invoke(AsyncCallSession.java:94)
at com.actional.APISessionFacade$Handler.invoke(APIFactory.java:746)
at com.sun.proxy.$Proxy28.validateUserDirectory(Unknown Source)
at com.actional.soapstation.ui.configuration.externaldir.ExternalDirWizardModel.verify(ExternalDirWizardModel.java:406)
at com.actional.ui.taglib.WizardController$InternalWizardContext.processRequest(WizardController.java:366)
at com.actional.ui.taglib.WizardController$InternalWizardContext.access$000(WizardController.java:166)
at com.actional.ui.taglib.WizardController.execute(WizardController.java:128)
Solution
This error occurs when a wrong, incomplete, or no certificate is found in a trusted certificate store.
Ensure that the certificate that you have imported under the Trusted Certificate Authorities is valid and correct.
For example, if you are trying to download the certificate to be imported from your LDAP server (with a similar command like: openssl s_client -showcerts -connect your.ldapserver.com:567), then make sure you import the CA certificate that signed the public certificate of the LDAP (usually the second certificate in the chain), and not the public certificate used by the LDAP server.
Note: If you have different domain controllers in your environment, then all certificates for all DC machines need to be imported in Trusted Certificate Authority for AMS and Intermediary profiles.
Additionally, this issue may happen when the certificate does not match the configured hostname.