Solved

Blackboard SSL and AD

Posted on 2016-09-27
4
16 Views
Last Modified: 2016-10-08
We have a Blackboard LMS.  Blackboard has 3 mechanisms for authentication 1) Builtin 2) LDAPS and 3) StartTLS .  Blackboard uses Tomcat for its webserver so I have an InCommon certificate installed.  It works great and is valid for another 2 years.  I forgot to mention that we are running Blackboard on Windows Server 2012.  It is connected to the domain and is natted.  Our Domain Controller is Active directory running on Server 2012.  We set up an internal windows CA and used it to generate a certificate for AD.  We have two Barracuda Load balancers also.  When I configure Blackboard to use ldaps  pointing to the load balancers it works fine.  Blackboard recommends StartTLS.  My network admin doesn't want people from the outside hitting the loadbalancers to authenticate from AD on port 389 (an unsecured port)  He has me trying to use AD directly. When I configure BB to use startTLS and point it to AD it always fails.  BB has a test your connection feature so this is how I know.   This is the error I get:
javax.naming.NamingException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was wondering if anyone might have a suggestion. I took the certificate from AD and imported it into the JDK's lib/cacerts keystore but I still get the same error.
0
Comment
Question by:fgmiller
  • 3
4 Comments
 
LVL 5

Expert Comment

by:Jamielive2011
ID: 41818692
HI there, some questions back at you im sorry to say...

The error is telling you the certpath is still not valid / trusted.

Have you imported / trusted the internal root cert from the client machine, can you verify the path again from the client machine.

If its natted, are you still using the FQDN to access it internally and externally no cert issues on route ?
0
 

Author Comment

by:fgmiller
ID: 41818768
Thanks for the reply.

I have the root/intermediate and client cert installed on the Blackboard server.  My AD admins tell me that since the Windows CA is internal that the certificate that it issued for AD is it, there is no root or intermediate.  I imported the certificate issued to AD into BB Tomcat into the jdk cacerts keystore and restarted Tomcat.  This is on our test server.

I use the same FQDN to access Blackboard from inside or out. There haven't been any certificate issues that I know of.
0
 

Accepted Solution

by:
fgmiller earned 0 total points
ID: 41826405
I managed to get it working.  I searched through google and came upon the one solution I didn't try.  Unknown to me - when you install the jdk it makes two directors. I just took the defaults.  One is the jdk and the other is the JRE.  One of the solutions was to import the cert from AD and import it into jre/lib/security/cacerts.  I did that not knowing that there are two JRE folders. There is the one above and there is another one in the JDK folder. The solution is to import the AD cert in the jre/lib/security/cacerts  under the JDK.  Once I did that and then restarted Blackboard which restarted Tomcat, I was able to use the tool in Blackboard to check and make sure it was connecting. I even got it to connect using StartTLS which I never was able to before.
I hope this helps someone in the future.
0
 

Author Closing Comment

by:fgmiller
ID: 41834906
I found an article with the solution and tried it and it worked.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now