Solved

Blackboard SSL and AD

Posted on 2016-09-27
4
35 Views
Last Modified: 2016-10-08
We have a Blackboard LMS.  Blackboard has 3 mechanisms for authentication 1) Builtin 2) LDAPS and 3) StartTLS .  Blackboard uses Tomcat for its webserver so I have an InCommon certificate installed.  It works great and is valid for another 2 years.  I forgot to mention that we are running Blackboard on Windows Server 2012.  It is connected to the domain and is natted.  Our Domain Controller is Active directory running on Server 2012.  We set up an internal windows CA and used it to generate a certificate for AD.  We have two Barracuda Load balancers also.  When I configure Blackboard to use ldaps  pointing to the load balancers it works fine.  Blackboard recommends StartTLS.  My network admin doesn't want people from the outside hitting the loadbalancers to authenticate from AD on port 389 (an unsecured port)  He has me trying to use AD directly. When I configure BB to use startTLS and point it to AD it always fails.  BB has a test your connection feature so this is how I know.   This is the error I get:
javax.naming.NamingException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was wondering if anyone might have a suggestion. I took the certificate from AD and imported it into the JDK's lib/cacerts keystore but I still get the same error.
0
Comment
Question by:fgmiller
  • 3
4 Comments
 
LVL 6

Expert Comment

by:Obi Wan
ID: 41818692
HI there, some questions back at you im sorry to say...

The error is telling you the certpath is still not valid / trusted.

Have you imported / trusted the internal root cert from the client machine, can you verify the path again from the client machine.

If its natted, are you still using the FQDN to access it internally and externally no cert issues on route ?
0
 

Author Comment

by:fgmiller
ID: 41818768
Thanks for the reply.

I have the root/intermediate and client cert installed on the Blackboard server.  My AD admins tell me that since the Windows CA is internal that the certificate that it issued for AD is it, there is no root or intermediate.  I imported the certificate issued to AD into BB Tomcat into the jdk cacerts keystore and restarted Tomcat.  This is on our test server.

I use the same FQDN to access Blackboard from inside or out. There haven't been any certificate issues that I know of.
0
 

Accepted Solution

by:
fgmiller earned 0 total points
ID: 41826405
I managed to get it working.  I searched through google and came upon the one solution I didn't try.  Unknown to me - when you install the jdk it makes two directors. I just took the defaults.  One is the jdk and the other is the JRE.  One of the solutions was to import the cert from AD and import it into jre/lib/security/cacerts.  I did that not knowing that there are two JRE folders. There is the one above and there is another one in the JDK folder. The solution is to import the AD cert in the jre/lib/security/cacerts  under the JDK.  Once I did that and then restarted Blackboard which restarted Tomcat, I was able to use the tool in Blackboard to check and make sure it was connecting. I even got it to connect using StartTLS which I never was able to before.
I hope this helps someone in the future.
0
 

Author Closing Comment

by:fgmiller
ID: 41834906
I found an article with the solution and tried it and it worked.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
User Being Logged Out of AD 6 64
Server Not Connecting To Domain After Reboot in EC2 8 53
Modify Permissions in Windows Folders. 15 30
Debug script powershell wmi 3 13
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question