geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Error: "unable to find valid certification path to requested target"
Date Thu, 16 Jul 2009 22:34:55 GMT

On Jul 16, 2009, at 2:08 PM, alehx wrote:

>
> I have searched google and the geronimo knowledge base far and wide  
> and have
> not been able to come up with a solution to my issue.
>
> We are developing a web application that requires LDAP  
> authentication to 1)
> Determine if the user exists and his/her credentials are correct 2)  
> to serve
> the correct pages and privileges to authenticated users.
>
> However, we have reached a road block. After implementing the security
> realms, keystores, and web-specific deployment plans, we have been  
> unable to
> get past the authentication prompt for user credentials.
>
> No matter what I have tried, the error message is always
>
> ERROR [LDAPLoginModule] javax.naming.CommunicationException: simple  
> bind
> failed: my.ldap.server:636 [Root exception is
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable  
> to find
> valid certification path to requested target]
>
> WARN  [log] AUTH FAILURE: user UserName
>
> I followed the keytool directives for obtaining a valid certificate  
> and
> created a new certificate via the Geronimo console. I have also tried
> importing a valid certificate manually buy copy/paste and changes to  
> the
> config.xml file.. all to no avail.
>
> If the issue is the security realm, we have contacted the LDAP server
> administrators and obtained the correct settings for our use. I have  
> tried
> creating a server via the console and via the geronimo-application.xml
>
> I'm not sure if the issue is the server believes the certificate is  
> invalid
> or it cannot find a matching certificate after the LDAP server is  
> contacted.
>
> The keystore I am using is in the geronimo var/security/keystore  
> directory
> and also registered in the system wide java keystore (cacerts.)
>
> If anyone could suggest some things to get geronimo to accept the
> certificates in my keystore or to somehow link them so they will be  
> of use
> would be great.

I think this is a user list question.  I think the absolute minimum  
information anyone would need to start guessing at what is wrong would  
be
- the entire stack trace from the exception
- details of how you are trying to connect to the ldap server.

In particular... is this an ssl connection? tls?  does the ldap server  
expect the client to authenticate with a client side certificate or  
user/password?

Despite the lack of this information I'd guess that you are connecting  
over ssl and the geronimo truststore does not have a certificate to  
enable it to trust the certificate from the ldap server.

david jencks

>
> Thanks
> -- 
> View this message in context: http://www.nabble.com/Error%3A-%22unable-to-find-valid-certification-path-to-requested-target%22-tp24524543s134p24524543.html
> Sent from the Apache Geronimo - Dev mailing list archive at  
> Nabble.com.
>

Mime
View raw message