Solved

Getting "unable to find valid certification path to requested target" when using ldaps.

Posted on 2008-10-13
6
12,992 Views
Last Modified: 2013-11-24
Hi All,

We are having an application that connects to the LDAP through JNDI ssl/non-ssl. When it tries to connect through SSL it throws the following exception in Windows (uses sun JRE)

Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

For this exception, I have tried quite a bit of things from internet. Most of them say that I have to install the rootCA certificate. Nothing helped.

The value of the trust store is assigned at the run-time (in the JNDI code) using the api
System.setProperty("javax.net.ssl.trustStore", c:\\certificates\\mystore);

In AIX (using IBM JRE), the same code throws the following exception.

Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:java.security.cert.CertPathValidatorException: The certificate issued by <DN of the CA> is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error

Our application has a application server, webserver and a database. To isolate the problem, I wrote a standalone JNDI program. It connects to the same LDAP with same set of certs from the same machine (both Windows and AIX) through SSL.

Finally I found out 2 ways to make the application work.

1. When I import the certificates in to jssecacerts iniside the jre\lib\security I am able to connect through SSL. The trust store path is not necessary here.
2. When I give the path of the trust store along with the Java VM options in my appserver configuration file and reboot, it works. I think it is similar to giving the keystore path in the command line, i.e.,

c:\> java -Djavax.net.ssl.trustStore=c:\\certificates\\mystore

From this I would say the certificates are not the problem. My app is not able to get the trust store path when I set the path at runtime or the value of the path gets overwritten at some point.

Unfortunately I can resort to any of the above 2 solutions. Have anyone come across these kind of problems? Any help would be appreciated.

0
Comment
Question by:ppjoe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 5

Expert Comment

by:muktajindal
ID: 22708367
0
 

Author Comment

by:ppjoe
ID: 22708607
Thanks Muktajindal.
The link you have given has instructions and example to write a standalone JNDI code. I have done it and it works for me. I have already mentioned this. The problem I am facing is the same snippet of working code in standalone does not work with my app. From the various test case I have almost concluded that the trust store path is not picked up by the JNDI. So, my problem is very specific to the truststore path. This is an example (which works as standalone) I am trying that fails to connect inside my app.

Hashtable envProps = new Hashtable();
envProps.put(Context.SECURITY_AUTHENTICATION, "simple");
envProps.put(Context.SECURITY_PRINCIPAL, "cn=xyz");
envProps.put(Context.SECURITY_CREDENTIALS, "xyz");
envProps.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
envProps.put(Context.SECURITY_PROTOCOL, "ssl");
    
System.setProperty("javax.net.ssl.trustStore", "c:\\certificates\\cert");
//I dont write in to the trust store. So the trust store password is not needed.
   
envProps.put(Context.PROVIDER_URL, "ldap://mycomputer.ldap.com:636");
InitialLdapContext context = null;
try
{
context = new InitialLdapContext(envProps, null);
}
catch (Exception e)
{}	

Open in new window

0
 
LVL 5

Accepted Solution

by:
muktajindal earned 500 total points
ID: 22708796
Make sure that the truststore path is correct w.r.t. the server/machine where this piece of code is running.
0
 

Author Comment

by:ppjoe
ID: 22719861
I found out the property that is set using
System.setProperty("javax.net.ssl.trustStore", "c:\\certificates\\cert");
is not picked up by the JVM. The value is set but my app is not picking it.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For beginner Java programmers or at least those new to the Eclipse IDE, the following tutorial will show some (four) ways in which you can import your Java projects to your Eclipse workbench. Introduction While learning Java can be done with…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question