Get Confluence to work with linux LDAP server and TLS

I created a LDAP server with TLS and a self-sign certificate. I can login from another Linux client machine that I copied the pubkey to and it appears to be working great.

Now trying to get Confluence to use the LDAP servers has proven very difficult. I have followed the documentation, but I'm not sure where I'm going wrong.

I wish I could just click in Atlassian and import the certificate. That would make life easy, but I'm trying to use the keytool and that is a nightmare.

My self-signed certificate is in the "pem" format. The examples I see are using CRT format. Do I need to convert mine? Not a certificate expert. I've used this command, but I get the error below this command.

keytool -import -alias serverCert -file /etc/pki/tls/certs/ldap1_pubkey.pem -keystore $JAVA_HOME/jre/lib/security/cacerts

keytool error: java.io.FileNotFoundException: /jre/lib/security/cacerts (No such file or directory)

If I change it to where the directory really is:

keytool -import -alias serverCert -file /etc/pki/tls/certs/ldap1_pubkey.pem -keystore /opt/atlassian/confluence/jre/lib/security/cacerts

I get this error:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

I would appreciate any help. Thanks,

5 answers

Hi Jeff,

You have to import your ldap self signed certificate on the cacerts file. I believe the easiest way is to do that with portecle, you can download it at http://portecle.sourceforge.net.

I understand you already have the .pem file exported, so you just need to open portecle, go to File->Open Keystore File and locate your cacerts file, it will ask for password, which is "changeit". Now go to Tools->Import Trusted Certificate and import your .pem file and save it.

If you don't have a desktop on your Confluence server, you can copy your cacerts file to your desktop, perform the above steps, then copy it again to it's original location.

Best regards,

Felipe Alencastro

To complement Felipe's answer, we have this documentation that explain this process with Active Directory, but it's the same idea for other LDAP distributions.

Cheers

Thanks for the help. I've tried Portecle program. I selected my "pem" file. It prompted for a password. I entered "changeit", but I get the following error.

Could not open "C:\Users\Administrator\Desktop\ldap1_pubkey.pem" as a keystore. Attempts were made for the following keystore types: JKS, PKCS#12, JCEKS, JKS(case sensitive), BKS, BKS-V1, UBER.

Note that this may be because of a incorrect password, or because the keystore has been tampered with.

Does it not work with pem files?

Hi Jeff,

You have to open your cacerts file as a keystore with password of "changeit", and then import your ldap1_pubkey.pem into the cacerts file.

To complement Felipe's answer, we have this documentation that explain this process with Active Directory, but it's the same idea for other LDAP distributions.

Cheers

Hi Jeff,

Also I believe you're on evaluation period, is that right? If you want, we can raise a support ticket on https://support.atlassian.comso we can assist you better with this.

Thanks for the help. I have moved my Atlassian installation to a Windows 2012 R2 server because I could not get Portecle to run in linux. I have imported the certificate now. When I setup Atlassian to connect to my OpenLdap server and click the test connect button I get the following error:

Connection test failed. Response from the server:
centos65.bradyexternal.local:636; nested exception is javax.naming.CommunicationException: centos65.bradyexternal.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Not sure what to do next. Yes, I'd like to open up a support ticket unless this is a simple fix?

Hi Jeff,

I opened a ticket on your behalf on our Support System.

Best regards,

Felipe Alencastro

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Friday in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

278 views 11 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you