Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Blackboard SSL and AD

Posted on 2016-09-27
4
Medium Priority
?
69 Views
Last Modified: 2016-10-08
We have a Blackboard LMS.  Blackboard has 3 mechanisms for authentication 1) Builtin 2) LDAPS and 3) StartTLS .  Blackboard uses Tomcat for its webserver so I have an InCommon certificate installed.  It works great and is valid for another 2 years.  I forgot to mention that we are running Blackboard on Windows Server 2012.  It is connected to the domain and is natted.  Our Domain Controller is Active directory running on Server 2012.  We set up an internal windows CA and used it to generate a certificate for AD.  We have two Barracuda Load balancers also.  When I configure Blackboard to use ldaps  pointing to the load balancers it works fine.  Blackboard recommends StartTLS.  My network admin doesn't want people from the outside hitting the loadbalancers to authenticate from AD on port 389 (an unsecured port)  He has me trying to use AD directly. When I configure BB to use startTLS and point it to AD it always fails.  BB has a test your connection feature so this is how I know.   This is the error I get:
javax.naming.NamingException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was wondering if anyone might have a suggestion. I took the certificate from AD and imported it into the JDK's lib/cacerts keystore but I still get the same error.
0
Comment
Question by:fgmiller
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 6

Expert Comment

by:Obi Wan
ID: 41818692
HI there, some questions back at you im sorry to say...

The error is telling you the certpath is still not valid / trusted.

Have you imported / trusted the internal root cert from the client machine, can you verify the path again from the client machine.

If its natted, are you still using the FQDN to access it internally and externally no cert issues on route ?
0
 

Author Comment

by:fgmiller
ID: 41818768
Thanks for the reply.

I have the root/intermediate and client cert installed on the Blackboard server.  My AD admins tell me that since the Windows CA is internal that the certificate that it issued for AD is it, there is no root or intermediate.  I imported the certificate issued to AD into BB Tomcat into the jdk cacerts keystore and restarted Tomcat.  This is on our test server.

I use the same FQDN to access Blackboard from inside or out. There haven't been any certificate issues that I know of.
0
 

Accepted Solution

by:
fgmiller earned 0 total points
ID: 41826405
I managed to get it working.  I searched through google and came upon the one solution I didn't try.  Unknown to me - when you install the jdk it makes two directors. I just took the defaults.  One is the jdk and the other is the JRE.  One of the solutions was to import the cert from AD and import it into jre/lib/security/cacerts.  I did that not knowing that there are two JRE folders. There is the one above and there is another one in the JDK folder. The solution is to import the AD cert in the jre/lib/security/cacerts  under the JDK.  Once I did that and then restarted Blackboard which restarted Tomcat, I was able to use the tool in Blackboard to check and make sure it was connecting. I even got it to connect using StartTLS which I never was able to before.
I hope this helps someone in the future.
0
 

Author Closing Comment

by:fgmiller
ID: 41834906
I found an article with the solution and tried it and it worked.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question