I use MWS 9.7 as part of an IS 9.7 installation on a Windows 2008 server. MWS manages the users including an LDAP connection to our ActiveDirectory setup. I have been asked to update the LDAP configuration to use LDAPS.
I have updated the URL. Following the instructions in “Administering My webMethods Server 9.7” for Using My webMethods Server as an HTTPS client I added the LDAP server’s CA certificate to the Software AG_directory\jvm\jvm\jre\lib\security\cacerts file. I have restarted the MWS Windows service.
When I try to log in to IS or MWS using my AD login, I get the error in the server’s log.
Unable to Connect to 0 ldaps://ldap-br.haemo.net:636 as CN=ZSVC-WMLDAP,OU=Service Accounts,OU=Haemonetics,DC=haemo,DC=netnetscape.ldap.LDAPException: JSSESocketFactory.makeSocket ldap-br.haemo.net:636, sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (91)
As far as I can tell, this error means I don’t have the LDAP server’s CA certificate in the trusted CA store. Is there a different store file I should use besides Software AG_directory\jvm\jvm\jre\lib\security\cacerts?
Hi,
please add the ldap ca certificate to the following truststore and restart MWS afterwards:
MWS/server/default/config/security/sagdemoca.jks
Password for this truststore is manage.
Regards,
Holger
1 Like
This did the trick. Thanks!
A further update: While adding the certificate to MWS/server/default/config/security/sagdemoca.jks did the trick for MWS, I also needed to get it to work with IS running on the same server using MWS for its users. To get that to work, I also had to add the certificate to Software AG_directory\jvm\jvm\jre\lib\security\cacerts. I did some experimenting and as far as I can tell, the cert needs to be in both places for an IS/MWS combined installation.
Hi,
you dont neccessarily have to modify the cacerts file.
You can put the ca certificate in a separate jks file by using keytool and then add this jks file in IS Admin UI under Security → Keystores as truststore and then add this Truststore under Security → Certificates as the Truststore. This JKS should contain all ca´s not being trusted directly by cacerts. This applies to the sagdemoca.jks as well.
keytool -importcert -trustcacerts -keystore .jks -file .{cer|pem}
Repeat for every ca cert which is not in the cacerts by default.
By not modifying the cacerts file this eases the exchange of jvms as you dont have to keep in mind to re-modify cacerts in this case.
Regrads,
Holger
1 Like