For many years I have had JIRA connected to Active Directory for read only using LDAP. As part of a global security push I've been asked to perform this over LDAPS. Fair enough.
I've imported the server's security certificate as I have done previously when setting up IMAPS. But I'm still getting the dreaded:
{code}
Connection test failed. Response from the server:
simple bind failed: myhost.mydomain:3269; nested exception is javax.naming.CommunicationException: simple bind failed: myhost.mydomain:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
{code}
Which looks like a pretty straight forward problem with my cacerts file. I've imported so i'm *pretty* sure this is fine. I'm using JIRA standalone so there is no JDK installed, just the bundled JRE. How can I debug this? Does the bundled tomcat look for a different cacerts file?
How can I verify which cacerts file is being used?
Its possible to use an alternate trustStore but its not recommended, see Atlassian doco, in a nutshell:
because if Java is told to use a custom keystore (eg. containing a self-signed certificate), then Java will not have access to the root certificates of signing authorities...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Its more than likely your JRE cacerts file in JAVA_HOME/jre/lib/security/cacerts.
I wrote a trivial java app yonks ago when I did exacytly what you're trying to do. With SSLPoke you will be able to valiate JRE -> SSL Service connectiivty, because Java requires the SSL chain of trust to be established before it will allow a connection to be made. See http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services fore more.
Specifically, the default cacerts file could be overridden but there are maintenance and other issues related, all discussed in the link above.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.