Moving from the Cluster Master to a home node sends the user back to the login prompt

book

Article ID: 100074213

calendar_today

Updated On:

Description

Error Message

Catalina log shows:   

SEVERE [https-jsse-nio2-443-exec-23] org.apache.catalina.realm.JNDIRealm.authenticate Exception performing authentication
    javax.naming.CommunicationException: ldapsec-ams.bnymellon.net:3269 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: java.security.cert.CertPathBuilderException: Unable to find certificate chain.]

Cause

The cacerts.bcfks on the home node does not contain the intermediate or root cert and these certs are not properly copied to the windows trust store.  

Resolution

NOTE: Steps below assume the basic knowledge of how a certificate works.

  1. Find the intermediate.cer and root.cer files from when the server.keystore was assembled.
  2. Use the Keytool Explorer to open cacerts.bcfk
  3. Add the intermediate.cer to the cacerts.bcfk
  4. Rename it to ldapintermediate 
  5. Add the root.cer to the cacert.bcfk
  6. Rename it to ldaproot 
  7. From the Clearwell Utility, run #3 to stop services 
  8. Launch the Clearwell Commander from the Desktop.
  9. Navigate to Action, then click on the Run Copy Tomcat Provider-Signed Certificate to Windows Trust Store  
  10. Restart services 

Issue/Introduction

When an Active Directory user logs into the master then navigates to a home node, the user is logged out and back to the login prompt. This only happens to user AD Accounts where the account is managed by LDAPS.
Powered by Wolken Software