geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "" <Nithya.Sriniva...@Sun.COM>
Subject Re: Error: "unable to find valid certification path to requested target"
Date Wed, 22 Jul 2009 17:08:51 GMT
If you using ldaps?
Can you check if the root ca certs are in the server jdk
and that the truststore points to the right truststore
I just solved one issue
where the root ca's where in c:/java/jdk/jre/lib/security/cacerts
and the truststore was pointing to c:/java/jre/lib/security/cacerts

alehx wrote:
> We are developing a web application that requires LDAP authentication to 1)
> Determine if the user exists and his/her credentials are correct 2) to serve
> the correct pages and privileges to authenticated users.
> However, we have reached a road block. After implementing the security
> realms, keystores, and web-specific deployment plans, we have been unable to
> get past the authentication prompt for user credentials.
> No matter what I have tried, the error message is always
> ERROR [LDAPLoginModule] javax.naming.CommunicationException: simple bind
> failed: my.ldap.server:636 [Root exception is
> PKIX path building failed:
> unable to find
> valid certification path to requested target]
> WARN  [log] AUTH FAILURE: user UserName
> I followed the keytool directives for obtaining a valid certificate and
> created a new certificate via the Geronimo console. I have also tried
> importing a valid certificate manually buy copy/paste and changes to the
> config.xml file.. all to no avail.
> If the issue is the security realm, we have contacted the LDAP server
> administrators and obtained the correct settings for our use. I have tried
> creating an ldap security realm via the console and via the
> geronimo-application.xml
> I'm not sure if the issue is the server believes the certificate is invalid
> or it cannot find a matching certificate after the LDAP server is contacted.
> The keystore I am using is in the geronimo var/security/keystore directory
> and also registered in the system wide java keystore (cacerts.)
> If anyone could suggest some things to get geronimo to accept the
> certificates in my keystore or to somehow link them so they will be of use
> would be great.
> Thanks

View raw message