Notifications

158 views

Description

Some customers have reported this error when connecting their ServiceNow instances to an LDAPS server:

ldaps://ldaps.example.com:636 sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

Release or Environment

All supported ServiceNow releases

Cause

This error message appears where the customer's LDAPS server uses certificates issued from an internal/self-signed/non-public Certificate Authority (CA), and those certificates have not been uploaded to the instance's X.509 Certificates table.

Resolution

 

Recommended Solution
The following need to be uploaded to X.509 Certificate[sys_certificate] on the instance if using a internal/self-signed/non-public CA:
  • the root CA certificate
  • any intermediate CA certificates
  • the 'leaf' certificates, the one at the opposite end of the subject/issuer chain from the root CA. In other words the certificate that appears at the top of the ouput of openssl s_client -showcerts -connect output. 

Note: The LDAPS server admin should be able to provide you with all this information. If not, the required certificates should be visible in the output of openssl s_client -showcerts -connect ldaps-server.customerdomain.com:636

Alternative Workaround

If for some reason the steps in the Recommended Solution don't work you can get past this error by disabling certificate verification by setting System Property com.glide.communications.trustmanager_trust_all to true. 

WARNING: This can have significant security implications and is a global setting for the whole instance (not just LDAP). It should only be used temporarily for testing (on sub-prod instances) and should not be used in production.

Article Information

Last Updated:2020-04-08 18:51:18
Published:2020-04-09