Notifications

1626 views

Description

When trying to test the connectivity LDAPS with MID server, we see the below exception

"sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found."

or 

" sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed."

Cause

All the certification chain is not installed into the MID server

Resolution

Make sure You are done with below 3 steps in the instance :

1)Open the LDAP server form, in the LDAP server URL, change the URL from LDAP to LDAPS and port 389 to 636 (Default port).

 2)If you are creating a new LDAP server, whenever you select the MID Server then the SSL flag (which is in the form) will set to false by default. Kindly ignore this behavior.

3) upload the PEM certificate in the instance (go to sys_certificate table and create a new certificate)

As we have already done the changes in the connection URL communication happens through LDAPS only.

Follow the below steps to use bundle JRE from the MID server and import the certificate.

Check the below steps to verify the bundled JRE. 

Caution: Make sure external JRE is NOT used by Mid Server for any other existing communication before implementing this solution. If it is used, please contact ServiceNow support to further investigate the problem with LDAPS cert imports.

Always test this on Sub Prod and make sure all of your existing communications are good with Mid Server.

Following guidelines should be executed to have Mid Server use the bundled jre that is included the Mid Server package rather than the external jre installed on the Mid Server for this specific problem

  • Logon to the Mid Server
  • Go to the wrapper-override.conf file on mid server under mid install conf folder and un-check/un-comment the below line to have Mid Server use the bundled jre
    wrapper.java.command= <external jre install path> //it should be bundled JRE path
  • Save the file 


Import certificate by following the below steps :

1. Get the certificate and copy in your local drive (Get the Certificate from LDAP Admin)

2. Write the certificate to the mid server using Keytool. In the key tool use the JAVA path from the MID Server.

Follow the below article to Add SSL certificates for the MID Server Add SSL certificates for the MID Server

(Or)

If you don't have a certificate, get the certificate using the OpenSSL command and import the certificate

 
1. Get the certificate from your LDAP server
openssl s_client -connect <Server_name>:636 -showcerts

2. Save the certificate Pem file.

3. Write the certificate to the mid server using Keytool. In the key tool use the JAVA path from the MID Server.

Follow the below article to Add SSL certificates for the MID Server Add SSL certificates for the MID Server

====

Sample Keytool command:

keytool -import -alias MyCA -file "certificatepath " -keystore "<MIDServerPath>\agent\jre\lib\security\cacerts


**** Verify the certifcate list using the below command:

keytool -list -v -keystore <path>\cacerts


* Check in the instance LDAP form if the SSL checkbox is checked, uncheck that.

* Open the LDAP server form and cross-check in the LDAP server URL, change the URL from LDAP to LDAPS and port 389 to 636 (Default port).

Once all the above steps completed, restart the MID server.

Test the LDAPS connection from the instance and it should be successful


Additional Information

Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing Microsoft security advisory ADV190023

Article Information

Last Updated:2020-09-19 23:28:16
Published:2020-09-20