NetWorker: LDAPS integration fails with "Unable to find valid certification path to requested target"

The following characterizes the circumstances resulting in the error message:
"An SSL handshake error occurred while attempting to connect to LDAPS server: unable to find valid certification path to requested target"

• You are attempting to configure AD or LDAP over SSL with NetWorker AUTHC.
  • NetWorker: How To configure LDAPS Authentication
• You can successfully integrate non-SSL external authentication with NetWorker; The issue only appears when integrating SSL (LDAPS)
• Your LDAPS CA certificate was imported to the JAVA cacerts keystore.
• You are using a "certificate chain" in your environment.

This issue can occur when the CA configuration uses a chain and only a portion of the chain is imported to the Java trust keystore. For a certificate chain, all the certificates in the chain should be imported to the Java keystore. Any issue in importing the certificate would result in certificate verification failure.

This is identified when you run the openssl command from your NetWorker server to the LDAPS server:

# openssl s_client -showcerts -connect dc.amer.lan:636
CONNECTED(00000124)
depth=1 DC = LAN, DC = AMER, CN = DC
---
Certificate chain
 0 s:/CN=DC.AMER.LAN
   i:/DC=LAN/DC=AMER/CN=DC
-----BEGIN CERTIFICATE-----
<< removed for brevity >>
-----END CERTIFICATE-----
 1 s:/DC=LAN/DC=AMER/CN=DC
   i:/CN=DC
-----BEGIN CERTIFICATE-----
<< removed for brevity >>
-----END CERTIFICATE-----

1. Remove any previously imported certificates from the Java cacerts trust keystore.

The processes in this KB leverage the Java keytool command. It may be necessary to change directory (cd) to the Java bin directory. Depending on the Java installation and operating system, this can vary. The keytool command can be found in the Java installations bin directory. Most NetWorker implementations use the NetWorker Runtime Environment (NRE) for Java.

Location:

• Linux: /opt/nre/java/latest/bin
• Windows: C:\Program Files\NRE\java\jre#.#.#_###\bin

Syntax:

• • Linux: /opt/nre/java/latest/bin/keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit | grep ALIAS
  • Windows: "C:\Program Files\NRE\java\jre#.#.#_###\bin\keytool.exe" -list -keystore "C:\Program Files\NRE\java\jre#.#.#_###\lib\security\cacerts -storepass changeit | findstr ALIAS


• • • Replace ALIAS with the ALIAS used to import the Certificates into the cacerts keystore.
    • On Windows hosts the Java path includes the Java Runtime Environment (JRE) build. Ensure that you are using the correct Java build path.
    • Even if the certificates are not shown when using findstr or grep. Review the output without narrowing the results to confirm there are no aliases for your LDAPS server or your root CA server.
    • The default store password for the Java cacerts trust keystore is "changeit."

For removing the certificates from the authc.truststore and authc.keystore, specify the full path to these files for -keystore and the NetWorker AUTHC password for -storepass. The NetWorker AUTHC keystore password is configured during Installation of NetWorker:

• • Linux:
    • /opt/nsr/authc-server/conf/authc.truststore
    • /nsr/authc/conf/authc.keystore
  •  Windows:
    • C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc.truststore
    • C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystore

If a certificate appears, you must delete it (otherwise go to the next step):

keytool -delete -alias ALIAS_NAME -keystore "PATH_TO_CACERTS_FILE" -storepass PASSWORD

Example:

JAVA_INSTALL_PATH\bin> keytool -delete -alias LDAPS-SERVER -keystore ..\lib\security\cacerts -storepass changeit 

JAVA_INSTALL_PATH\bin> keytool -delete -alias  ROOTCA-SERVER -keystore ..\lib\security\cacerts" -storepass changeit 

2. Connect to the LDAPS server using the openssl:

openssl s_client -showcerts -connect LDAPS_SERVER:636

Example:

# openssl s_client -showcerts -connect dc.amer.lan:636
CONNECTED(00000124)
depth=1 DC = LAN, DC = AMER, CN = DC
---
Certificate chain
 0 s:/CN=DC.AMER.LAN
   i:/DC=LAN/DC=AMER/CN=DC
-----BEGIN CERTIFICATE-----
<< removed for brevity >>
-----END CERTIFICATE-----
 1 s:/DC=LAN/DC=AMER/CN=DC
   i:/CN=DC
-----BEGIN CERTIFICATE-----
<< removed for brevity >>
-----END CERTIFICATE-----

3. Copy the contents of each certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into its own file.
   1. For each chain certificate, use something like ICA1.cer, ICA2.cer, ICA3.cer (and so forth).
   2. For the root certificate, use something like RCA.cer.

3. Import the chain certificate into the Java cacerts trust keystore, then import all certs leading up to the root certificate:

Example:

JAVA_INSTALL_PATH\bin> keytool -import -alias ICA1 -keystore "JAVA_INSTALL_PATH\lib\security\cacerts" -storepass changeit -file "PATH_TO\ICA1.cer"
<< removed for brevity >>
Trust this certificate? [no]:  y
Certificate was added to keystore

JAVA_INSTALL_PATH\bin> keytool -import -alias RCA -keystore "JAVA_INSTALL_PATH\lib\security\cacerts" -storepass changeit -file "PATH_TO\RCA.cer"
<< removed for brevity >>
Trust this certificate? [no]:  y
Certificate was added to keystore

• • Replace PATH_TO with the full path to the location of the files that you created for the certificate files.
  • Ensure that no additional errors are outputted during the import.

5. Restart NetWorker services. The AUTHC service reads the cacerts keystore upon startup:

Linux: systemctl restart networker
Windows: net stop nsrd /y && net start nsrd

6. Complete the LDAPS integration:

• NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)
• NetWorker: How To configure LDAPS Authentication.