Error: "unable to find valid certification path to requested target"

[alehx <ha...@uwplatt.edu>]

I have searched google and the geronimo knowledge base far and wide and have
not been able to come up with a solution to my issue.

We are developing a web application that requires LDAP authentication to 1)
Determine if the user exists and his/her credentials are correct 2) to serve
the correct pages and privileges to authenticated users.

However, we have reached a road block. After implementing the security
realms, keystores, and web-specific deployment plans, we have been unable to
get past the authentication prompt for user credentials.

No matter what I have tried, the error message is always

ERROR [LDAPLoginModule] javax.naming.CommunicationException: simple bind
failed: my.ldap.server:636 [Root exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]

WARN  [log] AUTH FAILURE: user UserName

I followed the keytool directives for obtaining a valid certificate and
created a new certificate via the Geronimo console. I have also tried
importing a valid certificate manually buy copy/paste and changes to the
config.xml file.. all to no avail.

If the issue is the security realm, we have contacted the LDAP server
administrators and obtained the correct settings for our use. I have tried
creating a server via the console and via the geronimo-application.xml

I'm not sure if the issue is the server believes the certificate is invalid
or it cannot find a matching certificate after the LDAP server is contacted.

The keystore I am using is in the geronimo var/security/keystore directory
and also registered in the system wide java keystore (cacerts.)

If anyone could suggest some things to get geronimo to accept the
certificates in my keystore or to somehow link them so they will be of use
would be great.

Thanks
-- 
View this message in context: http://www.nabble.com/Error%3A-%22unable-to-find-valid-certification-path-to-requested-target%22-tp24524543s134p24524543.html
Sent from the Apache Geronimo - Dev mailing list archive at Nabble.com.

Re: Error: "unable to find valid certification path to requested target"

[David Jencks <da...@yahoo.com>]

On Jul 16, 2009, at 2:08 PM, alehx wrote:

>
> I have searched google and the geronimo knowledge base far and wide  
> and have
> not been able to come up with a solution to my issue.
>
> We are developing a web application that requires LDAP  
> authentication to 1)
> Determine if the user exists and his/her credentials are correct 2)  
> to serve
> the correct pages and privileges to authenticated users.
>
> However, we have reached a road block. After implementing the security
> realms, keystores, and web-specific deployment plans, we have been  
> unable to
> get past the authentication prompt for user credentials.
>
> No matter what I have tried, the error message is always
>
> ERROR [LDAPLoginModule] javax.naming.CommunicationException: simple  
> bind
> failed: my.ldap.server:636 [Root exception is
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable  
> to find
> valid certification path to requested target]
>
> WARN  [log] AUTH FAILURE: user UserName
>
> I followed the keytool directives for obtaining a valid certificate  
> and
> created a new certificate via the Geronimo console. I have also tried
> importing a valid certificate manually buy copy/paste and changes to  
> the
> config.xml file.. all to no avail.
>
> If the issue is the security realm, we have contacted the LDAP server
> administrators and obtained the correct settings for our use. I have  
> tried
> creating a server via the console and via the geronimo-application.xml
>
> I'm not sure if the issue is the server believes the certificate is  
> invalid
> or it cannot find a matching certificate after the LDAP server is  
> contacted.
>
> The keystore I am using is in the geronimo var/security/keystore  
> directory
> and also registered in the system wide java keystore (cacerts.)
>
> If anyone could suggest some things to get geronimo to accept the
> certificates in my keystore or to somehow link them so they will be  
> of use
> would be great.

I think this is a user list question.  I think the absolute minimum  
information anyone would need to start guessing at what is wrong would  
be
- the entire stack trace from the exception
- details of how you are trying to connect to the ldap server.

In particular... is this an ssl connection? tls?  does the ldap server  
expect the client to authenticate with a client side certificate or  
user/password?

Despite the lack of this information I'd guess that you are connecting  
over ssl and the geronimo truststore does not have a certificate to  
enable it to trust the certificate from the ldap server.

david jencks

>
> Thanks
> -- 
> View this message in context: http://www.nabble.com/Error%3A-%22unable-to-find-valid-certification-path-to-requested-target%22-tp24524543s134p24524543.html
> Sent from the Apache Geronimo - Dev mailing list archive at  
> Nabble.com.
>

Re: Error: "unable to find valid certification path to requested target"

[Jarek Gawor <jg...@gmail.com>]

I would recommend reading/looking at
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug
and enabling SSL debugging. That should tell you what exactly is
going, which keystore is being used, etc.

I agree with David that probably the client doesn't recognize/trust
the ldap server's certificate. You'll need to import it into the right
keystore.

I'm pretty sure you will need to import the ldap server's cert into
your JVM keystore (cacert) since by default that's what used for
outbound connections. If you import it into Geronimo's keystore you
will need to set the following properties when starting the server:

-Djavax.net.ssl.trustStore=$GERONIMO_HOME/var/security/keystores/geronimo-default
-Djavax.net.ssl.trustStorePassword=secret

Jarek

On Thu, Jul 16, 2009 at 5:08 PM, alehx<ha...@uwplatt.edu> wrote:
>
> I have searched google and the geronimo knowledge base far and wide and have
> not been able to come up with a solution to my issue.
>
> We are developing a web application that requires LDAP authentication to 1)
> Determine if the user exists and his/her credentials are correct 2) to serve
> the correct pages and privileges to authenticated users.
>
> However, we have reached a road block. After implementing the security
> realms, keystores, and web-specific deployment plans, we have been unable to
> get past the authentication prompt for user credentials.
>
> No matter what I have tried, the error message is always
>
> ERROR [LDAPLoginModule] javax.naming.CommunicationException: simple bind
> failed: my.ldap.server:636 [Root exception is
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target]
>
> WARN  [log] AUTH FAILURE: user UserName
>
> I followed the keytool directives for obtaining a valid certificate and
> created a new certificate via the Geronimo console. I have also tried
> importing a valid certificate manually buy copy/paste and changes to the
> config.xml file.. all to no avail.
>
> If the issue is the security realm, we have contacted the LDAP server
> administrators and obtained the correct settings for our use. I have tried
> creating a server via the console and via the geronimo-application.xml
>
> I'm not sure if the issue is the server believes the certificate is invalid
> or it cannot find a matching certificate after the LDAP server is contacted.
>
> The keystore I am using is in the geronimo var/security/keystore directory
> and also registered in the system wide java keystore (cacerts.)
>
> If anyone could suggest some things to get geronimo to accept the
> certificates in my keystore or to somehow link them so they will be of use
> would be great.
>
> Thanks
> --
> View this message in context: http://www.nabble.com/Error%3A-%22unable-to-find-valid-certification-path-to-requested-target%22-tp24524543s134p24524543.html
> Sent from the Apache Geronimo - Dev mailing list archive at Nabble.com.
>
>