• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 101
  • Last Modified:

Blackboard SSL and AD

We have a Blackboard LMS.  Blackboard has 3 mechanisms for authentication 1) Builtin 2) LDAPS and 3) StartTLS .  Blackboard uses Tomcat for its webserver so I have an InCommon certificate installed.  It works great and is valid for another 2 years.  I forgot to mention that we are running Blackboard on Windows Server 2012.  It is connected to the domain and is natted.  Our Domain Controller is Active directory running on Server 2012.  We set up an internal windows CA and used it to generate a certificate for AD.  We have two Barracuda Load balancers also.  When I configure Blackboard to use ldaps  pointing to the load balancers it works fine.  Blackboard recommends StartTLS.  My network admin doesn't want people from the outside hitting the loadbalancers to authenticate from AD on port 389 (an unsecured port)  He has me trying to use AD directly. When I configure BB to use startTLS and point it to AD it always fails.  BB has a test your connection feature so this is how I know.   This is the error I get:
javax.naming.NamingException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was wondering if anyone might have a suggestion. I took the certificate from AD and imported it into the JDK's lib/cacerts keystore but I still get the same error.
  • 3
1 Solution
Obi WanFixerUpperCommented:
HI there, some questions back at you im sorry to say...

The error is telling you the certpath is still not valid / trusted.

Have you imported / trusted the internal root cert from the client machine, can you verify the path again from the client machine.

If its natted, are you still using the FQDN to access it internally and externally no cert issues on route ?
fgmillerAuthor Commented:
Thanks for the reply.

I have the root/intermediate and client cert installed on the Blackboard server.  My AD admins tell me that since the Windows CA is internal that the certificate that it issued for AD is it, there is no root or intermediate.  I imported the certificate issued to AD into BB Tomcat into the jdk cacerts keystore and restarted Tomcat.  This is on our test server.

I use the same FQDN to access Blackboard from inside or out. There haven't been any certificate issues that I know of.
fgmillerAuthor Commented:
I managed to get it working.  I searched through google and came upon the one solution I didn't try.  Unknown to me - when you install the jdk it makes two directors. I just took the defaults.  One is the jdk and the other is the JRE.  One of the solutions was to import the cert from AD and import it into jre/lib/security/cacerts.  I did that not knowing that there are two JRE folders. There is the one above and there is another one in the JDK folder. The solution is to import the AD cert in the jre/lib/security/cacerts  under the JDK.  Once I did that and then restarted Blackboard which restarted Tomcat, I was able to use the tool in Blackboard to check and make sure it was connecting. I even got it to connect using StartTLS which I never was able to before.
I hope this helps someone in the future.
fgmillerAuthor Commented:
I found an article with the solution and tried it and it worked.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now