AD source fails after replacing certs

Hi,

We have an AD source configured that has been working for a few months. The certificates were replaced on the DC’s a few days ago (root and intermediate did not change.) We have put the new DC certificates on the VA cluster servers and the IQService server. The AD source is not returning to a healthy state and gives this error on test connection:

We have detected an error from the managed system.

Error Received:
[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that SSL communication is in place with domain. [ Error details ] Failed to connect to - dc=cnvr,dc=xxxxxxx,dc=com : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://ord-dc303.cnvr.xxxxxxx.com:636 - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [ERROR 2] Failed to connect to server:ldap://ord-dc304.cnvr.xxxxxxx.com:636 - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Any thought on what might be the issue?

Thanks,
David

validate steps in this document IQService: TLS and Client Authentication Configuration for IdentityNow - Compass (sailpoint.com)

try restart for both iqservice and va

in the va check ccg-start.log to check if certs are loading up ok.

Sometimes, I’ve found it useful to get the certificate directly on VA using openssl instead of copying it over.

  1. On your VA run this command,
    $ openssl s_client -connect (AD DC):(port)

  2. Copy paste certificate from here(including the Begin and End Certificate tag) and save it to a file in the /home/sailpoint/certificates folder

  3. Restart CCG
    sudo systemctl restart ccg

  4. Monitor the logs to check if the certificates were loaded successfully.

1 Like

Thanks @aditya_pathak and @sharvari

I was able to partially resolve the issue. It looks like on the IQS server, the updated certificates were not in the correct trust store. Once I moved them there, the source test completes successfully. The problem I’m seeing now is when tunning a manual aggregation, it fails with the following error:

[ERROR for domain - dc=cnvr,dc=xxxxxxx,dc=com] java.lang.RuntimeException: Failed to read after retrying 5 times, from : dc=cnvr,dc=xxxxxxx,dc=com - ldap://ord-dc303.cnvr.xxxxxxx.com:636 - [LDAP: error code 50 - 00002105: LdapErr: DSID-0C090A87, comment: Error processing control, data 0, v2580]

Each time I’ve run it, it scans a difference number of accounts.

Thanks,
David

Can you check this ?

Thanks @RAKGDS.

The problem turned out to be that Delta Aggregation was enabled, but the AD service account did not have the additional permissions to support that. Once I disabled that option, the AD connection is healthy and working again.

David

3 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.