I created a LDAP server with TLS and a self-sign certificate. I can login from another Linux client machine that I copied the pubkey to and it appears to be working great.
Now trying to get Confluence to use the LDAP servers has proven very difficult. I have followed the documentation, but I'm not sure where I'm going wrong.
I wish I could just click in Atlassian and import the certificate. That would make life easy, but I'm trying to use the keytool and that is a nightmare.
My self-signed certificate is in the "pem" format. The examples I see are using CRT format. Do I need to convert mine? Not a certificate expert. I've used this command, but I get the error below this command.
keytool -import -alias serverCert -file /etc/pki/tls/certs/ldap1_pubkey.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
keytool error: java.io.FileNotFoundException: /jre/lib/security/cacerts (No such file or directory)
If I change it to where the directory really is:
keytool -import -alias serverCert -file /etc/pki/tls/certs/ldap1_pubkey.pem -keystore /opt/atlassian/confluence/jre/lib/security/cacerts
I get this error:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
I would appreciate any help. Thanks,
Hi Jeff,
I opened a ticket on your behalf on our Support System.
Best regards,
Felipe Alencastro
Thanks for the help. I have moved my Atlassian installation to a Windows 2012 R2 server because I could not get Portecle to run in linux. I have imported the certificate now. When I setup Atlassian to connect to my OpenLdap server and click the test connect button I get the following error:
Connection test failed. Response from the server:
centos65.bradyexternal.local:636; nested exception is javax.naming.CommunicationException: centos65.bradyexternal.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Not sure what to do next. Yes, I'd like to open up a support ticket unless this is a simple fix?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jeff,
Also I believe you're on evaluation period, is that right? If you want, we can raise a support ticket on https://support.atlassian.comso we can assist you better with this.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
To complement Felipe's answer, we have this documentation that explain this process with Active Directory, but it's the same idea for other LDAP distributions.
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jeff,
You have to import your ldap self signed certificate on the cacerts file. I believe the easiest way is to do that with portecle, you can download it at http://portecle.sourceforge.net.
I understand you already have the .pem file exported, so you just need to open portecle, go to File->Open Keystore File and locate your cacerts file, it will ask for password, which is "changeit". Now go to Tools->Import Trusted Certificate and import your .pem file and save it.
If you don't have a desktop on your Confluence server, you can copy your cacerts file to your desktop, perform the above steps, then copy it again to it's original location.
Best regards,
Felipe Alencastro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
To complement Felipe's answer, we have this documentation that explain this process with Active Directory, but it's the same idea for other LDAP distributions.
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the help. I've tried Portecle program. I selected my "pem" file. It prompted for a password. I entered "changeit", but I get the following error.
Could not open "C:\Users\Administrator\Desktop\ldap1_pubkey.pem" as a keystore. Attempts were made for the following keystore types: JKS, PKCS#12, JCEKS, JKS(case sensitive), BKS, BKS-V1, UBER.
Note that this may be because of a incorrect password, or because the keystore has been tampered with.
Does it not work with pem files?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jeff,
You have to open your cacerts file as a keystore with password of "changeit", and then import your ldap1_pubkey.pem into the cacerts file.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.