AD test connection fail after tomcat upgrade

IdentityIQ (IIQ) IIQ Discussion and Questions
1

SailPoint version 8.3,p3

I updated tomcat in SIT env and added the custom files including config files from the previous one. SailPoint is now running fine, but receiving error in AD connection as below. Tried matching the TLS check-box and others from dev environment still no solution

[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that SSL communication is in place with domain. [ Error details ] Failed to connect to - dc=xxxx,dc=team : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://wlprodeusadds01.xxxx.team:636 - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2

This error clearly indicates an SSL/TLS trust issue between your SailPoint IIQ instance (running on the updated Tomcat in SIT) and the Active Directory domain controller over LDAPS (port 636):

javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

This means the Java truststore used by Tomcat doesn’t trust the SSL certificate presented by your AD domain controller (wlprodeusadds01.xxxx.team:636).

From a machine that can access the AD server:

openssl s_client -connect wlprodeusadds01.xxxx.team:636 -showcerts

Copy the full certificate block (starting from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----), and save it as a file (e.g., ad-cert.cer).

Assuming you’re using the default Java truststore located at:

$JAVA_HOME/lib/security/cacerts

Run this command:

keytool -import -alias ad-cert \
 -file ad-cert.cer \
 -keystore $JAVA_HOME/lib/security/cacerts \
 -storepass changeit
  • ad-cert is the alias (you can name it anything)
  • Default password for the Java truststore is usually changeit

Restart Tomcat

2 Likes