Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Blackboard SSL and AD

Posted on 2016-09-27
4
Medium Priority
?
84 Views
Last Modified: 2016-10-08
We have a Blackboard LMS.  Blackboard has 3 mechanisms for authentication 1) Builtin 2) LDAPS and 3) StartTLS .  Blackboard uses Tomcat for its webserver so I have an InCommon certificate installed.  It works great and is valid for another 2 years.  I forgot to mention that we are running Blackboard on Windows Server 2012.  It is connected to the domain and is natted.  Our Domain Controller is Active directory running on Server 2012.  We set up an internal windows CA and used it to generate a certificate for AD.  We have two Barracuda Load balancers also.  When I configure Blackboard to use ldaps  pointing to the load balancers it works fine.  Blackboard recommends StartTLS.  My network admin doesn't want people from the outside hitting the loadbalancers to authenticate from AD on port 389 (an unsecured port)  He has me trying to use AD directly. When I configure BB to use startTLS and point it to AD it always fails.  BB has a test your connection feature so this is how I know.   This is the error I get:
javax.naming.NamingException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was wondering if anyone might have a suggestion. I took the certificate from AD and imported it into the JDK's lib/cacerts keystore but I still get the same error.
0
Comment
Question by:fgmiller
  • 3
4 Comments
 
LVL 6

Expert Comment

by:Obi Wan
ID: 41818692
HI there, some questions back at you im sorry to say...

The error is telling you the certpath is still not valid / trusted.

Have you imported / trusted the internal root cert from the client machine, can you verify the path again from the client machine.

If its natted, are you still using the FQDN to access it internally and externally no cert issues on route ?
0
 

Author Comment

by:fgmiller
ID: 41818768
Thanks for the reply.

I have the root/intermediate and client cert installed on the Blackboard server.  My AD admins tell me that since the Windows CA is internal that the certificate that it issued for AD is it, there is no root or intermediate.  I imported the certificate issued to AD into BB Tomcat into the jdk cacerts keystore and restarted Tomcat.  This is on our test server.

I use the same FQDN to access Blackboard from inside or out. There haven't been any certificate issues that I know of.
0
 

Accepted Solution

by:
fgmiller earned 0 total points
ID: 41826405
I managed to get it working.  I searched through google and came upon the one solution I didn't try.  Unknown to me - when you install the jdk it makes two directors. I just took the defaults.  One is the jdk and the other is the JRE.  One of the solutions was to import the cert from AD and import it into jre/lib/security/cacerts.  I did that not knowing that there are two JRE folders. There is the one above and there is another one in the JDK folder. The solution is to import the AD cert in the jre/lib/security/cacerts  under the JDK.  Once I did that and then restarted Blackboard which restarted Tomcat, I was able to use the tool in Blackboard to check and make sure it was connecting. I even got it to connect using StartTLS which I never was able to before.
I hope this helps someone in the future.
0
 

Author Closing Comment

by:fgmiller
ID: 41834906
I found an article with the solution and tried it and it worked.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question