If you have a certificate in Active Directory that is manually generated and expired, your OIM connection might fail with SSL Handshake error or Certificate Expired Error. Even though you see the correct certificate in Active Directory, still you might recieve SSL Handshake Errors or Certificate Expired Errors. This happens mostly when its a manually generated certificate.
Here is the error that you might face:
java.security.cert.CertificateExpiredException: NotAfter: Thu Apr 17 13:56:25 EDT 2008
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:268)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:564)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:123)
at sun.security.validator.Validator.validate(Validator.java:202)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA12275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA12275)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:183)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:222)
at java.io.BufferedInputStream.read(BufferedInputStream.java:277)
at com.sun.jndi.ldap.Connection.run(Connection.java:784)
Alternatively, you might face the following issue:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
Here is the solution for this:
WORKAROUND
To work around this issue, remove the expired (archived) certificate. To do this, follow these steps:1. Open the Microsoft Management Console (MMC) snap-in where you manage the certificate store on the IAS server. If you do not already have an MMC snap-in to view the certificate store from, create one. To do so:a. Click Start, click Run, type mmc in the Open box, and then click OK.
b. On the Console menu (the File menu in Windows Server 2003), click Add/Remove Snap-in, and then click Add.
c. In the Available Standalone Snap-ins list, click Certificates, click Add, click Computer account, click Next, and then click Finish.
Note You can also add the Certificates snap-in for the user account and for the service account to this MMC snap-in.
d. Click Close, and then click OK.
2. Under Console Root, click Certificates (Local Computer).
3. On the View menu, click Options.
4. Click to select the Archived certificates check box, and then click OK.
5. Expand Personal, and then click Certificates.
6. Right-click the expired (archived) digital certificate, click Delete, and then click Yes to confirm the removal of the expired certificate.
7. Quit the MMC snap-in. You do not have to restart the computer or any services to complete this procedure.
8. FYI - In our case, we had to restart the AD server to take the changes in effect. This did not fix the issue without restarting.
This is an excerpt from Microsoft's Website. Here are the links to solve this:
http://support.microsoft.com/kb/822406/
http://support.microsoft.com/kb/839514/
The other problem could be your new / renewed certificate was not imported in Java cacerts keystore of OIM server. Use the following to connect OIM with SSL based Active Directory. This is an excerpt from OIM documentation:
Installing Certificate Services
The connector requires Certificate Services to be running on the host computer. To install Certificate Services:
1.Insert the operating system installation media into the CD-ROM or DVD drive.
2.Click Start, Settings, and Control Panel.
3.Double-click Add/Remove Programs.
4.Click Add/Remove Windows Components.
5.Select Certificate Services.
6.Follow the instructions to start Certificate Services.
Enabling LDAPS
The target Microsoft Active Directory server must have LDAP over SSL (LDAPS) enabled. To enable LDAPS, generate a certificate as follows:
1.On the Active Directory Users and Computers console, right-click the domain node, and select Properties.
2.Click the Group Policy tab.
3.Select Default Domain Policy.
4.Click Edit.
5.Click Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
6.Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. A wizard is started.
7.Use the wizard to add a policy with the Domain Controller template.
At the end of this procedure, the certificate is created and LDAP is enabled using SSL on port 636.
Setting Up the Microsoft Active Directory Certificate As a Trusted Certificate
If the Microsoft Active Directory certificate is not issued or certified by a certification authority (CA), then set it up as a trusted certificate. To do this, you first export the certificate and then import it into the keystore of the Oracle Identity Manager server as a trusted CA certificate.
Exporting the Microsoft Active Directory Certificate
To export the Microsoft Active Directory certificate:
1.Click Start, Programs, Administrative Tools, and Certification Authority.
2.Right-click the Certification Authority that you create, and then select Properties.
3.On the General tab, click View Certificate.
4.On the Details tab, click Copy To File.
5.Use the wizard to create a certificate (.cer) file using base-64 encoding.
Importing the Microsoft Active Directory Certificate
To import the Microsoft Active Directory certificate into the certificate store of the Oracle Identity Manager server:
Note:
In a clustered environment, you must perform this procedure on all the nodes of the cluster.
Note:
The user password cannot be set unless 128-bit SSL is used. In addition, the computer on which Microsoft Active Directory is installed must have Microsoft Windows 2000 Service Pack 2 (or later) or Microsoft Windows 2003 running on it.
Thursday, May 22, 2008
AD SSL Handshake / Certificate Expired Error
Posted by Rajnish Bhatia at 12:40 PM
Subscribe to:
Post Comments (Atom)
1 comment:
Great Blog Raj, It helped me solve a trusted cert not found issue.
Post a Comment