[keycloak-user] problems to configure trustStore and certification path in keycloak

Celso Agra celso.agra at gmail.com
Fri Dec 16 08:50:00 EST 2016 

Hi all,

I was trying to configure a LDAP connection, but I got an error about my
certification path. I believe I should set this on standalone.xml but I
don't know how to do that. How can I configure this for my LDAP server.

Also, I did the keytool import from LDAP to my server, and I'm using ldap
slave connection.

Here is the error below:
Caused by: javax.naming.CommunicationException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target [Root exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]; remaining name
'XXXXXXXXXXXXXX'
        at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2002)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
        at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
        at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
        at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
        at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
        at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
        at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$2.execute(LDAPOperationManager.java:168)
        at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$2.execute(LDAPOperationManager.java:165)
        at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535)
        at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:165)
        at
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:159)
        ... 61 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
        at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at
sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
        at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
        at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
        ... 73 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
        at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
        ... 85 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
        at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
        ... 91 more

Best regards,

-- 
---
*Celso Agra*

More information about the keycloak-user mailing list