LDAP Authentication PKIX error

Hi again! I've been trying to set up LDAP Authentication for JS7 JOB SCHEDULER and i havent been able to configure to use STARTTLS. When i try to connect using an LDAP user the authentication log gives me this error:

2024-04-26T14:09:49,962 INFO  qtp117244645-22      JOCDefaultResponse                 - IOException: error when trying to create the ldap context >> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetsun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: Could not login with account/password

i´ve add an rootCA.p12 file that was made using my rootCA.pem and rootCA.key, also tried using ldap.p12 file made using my ldap.crt and ldap.key, both of those were located on /jetty_base/resources/joc/.

When i use ldapsearch with a -ZZ flag i am able to do query as normal, which suggests that my OpenLDAP server is capable of STARTTLS connections.

In the doc it says that "For connections to well known LDAP Identity Providers such as Azure® users should specify the path to the Java cacerts truststore file that ships with the Java JDK used with JOC Cockpit."

Could that be the case? are my .p12 files supposed to be on this "For connections to well known LDAP Identity Providers such as Azure® users should specify the path to the Java cacerts truststore file that ships with the Java JDK used with JOC Cockpit."?

Hi Marcello,

the JOC Cockpit has to validate the LDAP Server Certificate.

• This means that the private key and certificate should remain with the LDAP server only.
• The JOC Cockpit should add to its truststore the Root CA Certificate that was used to sign the LDAP Server Certificate. You have a choice for the truststore:
  • Use the truststore specified with the joc.properties file.
  • Use an individual truststore file and specify the location in the LDAP Identity Service settings, see https://kb.sos-berlin.com/display/JS7/JS7+-+LDAP+Identity+Service#JS7LDAPIdentityService-ExpertModeConfiguration

Best regards
Andreas

So, my joc.properties file have this:

###################################################################################
### Location, type and password of the truststore that contains the server
### certificates of JS7 Controller instances for HTTPS connections.
### The path to this file can be absolute or relative. A relative path starts from
### the ./jetty_base/resources/joc directory.

#truststore_path = joc.p12
#truststore_type = PKCS12
#truststore_password = jobscheduler

But my directory doenst have an joc.p12 file.

[root@js7 joc]# pwd
/opt/js7/joc/jetty_base/resources/joc
[root@js7 joc]# ls
hibernate.cfg.xml  joc.properties  ldap.p12  lib  license  log4j2.xml  patches  repositories  rootCA.p12  xsd

Thanks for the help!

In the JOC Cockpit GUi navigate to the settings of your LDAP Identity Service, use the "More Options" sub-tab and specify the settings for your truststore:

Truststore path: rootCA.p12
Truststore type: PKCS12
Truststore password: <as specified when you created the tuststore>

This assumes that in fact the rootCA.p12 is a trusstore in PKCS12 format and holds the Root CA Certificate as indicated with your previous post.

Best regards
Andreeas