Get Confluence to work with linux LDAP server and TLS

I created a LDAP server with TLS and a self-sign certificate. I can login from another Linux client machine that I copied the pubkey to and it appears to be working great.

Now trying to get Confluence to use the LDAP servers has proven very difficult. I have followed the documentation, but I'm not sure where I'm going wrong.

I wish I could just click in Atlassian and import the certificate. That would make life easy, but I'm trying to use the keytool and that is a nightmare.

My self-signed certificate is in the "pem" format. The examples I see are using CRT format. Do I need to convert mine? Not a certificate expert. I've used this command, but I get the error below this command.

keytool -import -alias serverCert -file /etc/pki/tls/certs/ldap1_pubkey.pem -keystore $JAVA_HOME/jre/lib/security/cacerts

keytool error: java.io.FileNotFoundException: /jre/lib/security/cacerts (No such file or directory)

If I change it to where the directory really is:

keytool -import -alias serverCert -file /etc/pki/tls/certs/ldap1_pubkey.pem -keystore /opt/atlassian/confluence/jre/lib/security/cacerts

I get this error:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

I would appreciate any help. Thanks,

5 answers

This widget could not be displayed.

Hi Jeff,

You have to import your ldap self signed certificate on the cacerts file. I believe the easiest way is to do that with portecle, you can download it at http://portecle.sourceforge.net.

I understand you already have the .pem file exported, so you just need to open portecle, go to File->Open Keystore File and locate your cacerts file, it will ask for password, which is "changeit". Now go to Tools->Import Trusted Certificate and import your .pem file and save it.

If you don't have a desktop on your Confluence server, you can copy your cacerts file to your desktop, perform the above steps, then copy it again to it's original location.

Best regards,

Felipe Alencastro

To complement Felipe's answer, we have this documentation that explain this process with Active Directory, but it's the same idea for other LDAP distributions.

Cheers

Thanks for the help. I've tried Portecle program. I selected my "pem" file. It prompted for a password. I entered "changeit", but I get the following error.

Could not open "C:\Users\Administrator\Desktop\ldap1_pubkey.pem" as a keystore. Attempts were made for the following keystore types: JKS, PKCS#12, JCEKS, JKS(case sensitive), BKS, BKS-V1, UBER.

Note that this may be because of a incorrect password, or because the keystore has been tampered with.

Does it not work with pem files?

Hi Jeff,

You have to open your cacerts file as a keystore with password of "changeit", and then import your ldap1_pubkey.pem into the cacerts file.

This widget could not be displayed.

To complement Felipe's answer, we have this documentation that explain this process with Active Directory, but it's the same idea for other LDAP distributions.

Cheers

This widget could not be displayed.

Hi Jeff,

Also I believe you're on evaluation period, is that right? If you want, we can raise a support ticket on https://support.atlassian.comso we can assist you better with this.

This widget could not be displayed.

Thanks for the help. I have moved my Atlassian installation to a Windows 2012 R2 server because I could not get Portecle to run in linux. I have imported the certificate now. When I setup Atlassian to connect to my OpenLdap server and click the test connect button I get the following error:

Connection test failed. Response from the server:
centos65.bradyexternal.local:636; nested exception is javax.naming.CommunicationException: centos65.bradyexternal.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Not sure what to do next. Yes, I'd like to open up a support ticket unless this is a simple fix?

This widget could not be displayed.

Hi Jeff,

I opened a ticket on your behalf on our Support System.

Best regards,

Felipe Alencastro

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 17, 2018 in Confluence

Why start from scratch? Introducing four new templates for Confluence Cloud

Hi my Community friends!  For those who don't know me, I'm a product marketer on the Confluence Cloud team - nice to meet you! For those of you who do, you know that I've been all up in your Co...

547 views 7 6
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you