NetWorker: AUTHC fails with "unable to find valid certification path to requested target" in a round robin DC environment

Resumo: You are attempting to configure AD over LDAPS (SSL) authentication with NetWorker AUTHC. The external authentication configuration uses "round robin" to alias several domain controllers (DC) to one address. The CA certificate is imported from the round robin address into the NetWorker Runtime Environment's (NRE) cacerts keystore. An error occurs when creating the external authority resource: An SSL handshake error occurred while attempting to connect to LDAPS server: unable to find a valid certification path to the requested target. ...

Este artigo aplica-se a Este artigo não se aplica a Este artigo não está vinculado a nenhum produto específico. Nem todas as versões do produto estão identificadas neste artigo.
Confira outros recursos

Sintomas

NOTE: CA certificate from the AD server must be imported into the NetWorker JRE/NRE ../lib/sercurity/cacerts keystore in order to establish SSL communication between AUTHC and authentication server.
  • The configuration fails with:
ERROR [main] (DefaultLogger.java:222) - Error while performing Operation:
com.emc.brs.auth.common.exception.BRHttpErrorException: 400 . Server message: Failed to verify configuration CONFIG_NAME An SSL handshake error occurred while attempting to connect to LDAPS server: unable to find valid certification path to requested target
  • You are using an "alias" for the AD server which connects to different DCs in a round robin configuration. 

Causa

The Certificate Authority (CA) is linked to the round robin alias Fully Qualified Domain Name (FQDN). The configuration attempts to bind the Secure Sockets Layer (SSL) to a specific server. 

NOTE: Round Robin is configured to load-balance requests in an environment. This configuration would use multiple Domain Name System (DNS) entries using the same FQDN but pointing to multiple different host IPs. This typically has its uses in web-based applications that may be processing requests from multiple requesters.


For example, 'ad-ldap.amer.lan' may be a DNS round robin alias that redirects to multiple DC hosts in the environment. Collecting the certificate with openssl while using the alias returns the certificate for one of the hosts 'dc1.amer.lan' available through round robin

[root@nsrserver: ~]# openssl s_client -showcerts -connect ad-ldap.amer.lan:636
Certificate chain
0 s:/CN=dc1.amer.lan
   i:/DC=lan/DC=amer/CN=AUTH-CA01
-----BEGIN CERTIFICATE-----
**REMOVED**
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=dc1.amer.lan
issuer=/DC=lan/DC=amer/CN=AUTH-CA01

If the certificate is imported to the JRE/NRE cacerts keystore using the round robin alias 'ad-ldap.amer.lan,' the configuration does not match the 'dc1.amer.lan' or any other server in the round robin configuration due to the name mismatch.

Resolução

You can use a round robin alias in non-SSL Lightweight Directory Access Protocol (LDAP) connections. There is no requirement for SSL certificate to match the host alias of a specific address.
 
To use SSL authentication, the certificate alias must match the host that it is connecting to. Import the CA certificate for a specific DC, and configure NetWorker authentication to use only that server; optionally import all round robin certificates. If the original DC has issues, update the configuration to use another DC with an already imported CA certificate.

See: NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)

Mais informações

NetWorker: LDAPS integration fails with "An SSL handshake error occurred while attempting to connect to LDAPS server: Unable to find valid certification path to requested target"

Produtos afetados

NetWorker
Propriedades do artigo
Número do artigo: 000187608
Tipo de artigo: Solution
Último modificado: 23 mai. 2025
Versão:  3
Encontre as respostas de outros usuários da Dell para suas perguntas.
Serviços de suporte
Verifique se o dispositivo está coberto pelos serviços de suporte.