Pivotal Knowledge Base

Follow

Unable to Login to Pulse via LDAPS due to "PKIX path building failed"

Environment

 Product  Version
 Pivotal GemFire  7.x - 8.x
 OS  All Supported OS 

Symptom

When attempting to login to Pulse with an LDAP over SSL (LDAPS) user, it throws the exception below and fails to login.

HTTP ERROR 401

Problem accessing /pulse/j_spring_security_check. Reason:
Authentication Failed: simple bind failed: centos7v64.myexample.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: centos7v64.myexample.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Powered by Jetty:// 

Root Cause

Whenever Java attempts to connect to another application over SSL (e.g.: HTTPS, IMAPS, LDAPS), it will only be able to connect to that application if it can trust it. The way trust is handled in the Java world is that you have a truststore, typically in $JAVA_HOME/lib/security/cacerts. This contains a list of all known Certificate Authority (CA) certificates, and Java will only trust certificates that are signed by one of those CA's or public certificates that exist within that truststore.

In this case, Pulse attempts to connect to LDAPS via the spring security framework internally. It uses j_spring_security_check to check whether the truststore (cacerts), on the host that is hosting the Pulse web application, contains the right LDAPS certificate. If it doesn't find the right LDAPS certificate, j_spring_security_check will throw out the error shown in the Symptom section:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution

You may consider using -Djavax.net.ssl.trustStore to override the location of the default truststore and let the java process find the right LDAPS certificate, but for this case, the quick resolution is to import the LDAPS certificate (truststore file) into the truststore (cacerts) where Pulse is hosted by using the keytool utility.

For example:

keytool -import -file /etc/pki/tls/certs/myexampleldap.pem -keystore $JAVA_HOME/jre/lib/security/cacerts

 

 

Comments

Powered by Zendesk