-
Title
Unable to Login with Secure LDAP after upgrading FMS -
Description
After upgrading the FMS (Foglight Management Server) users are unable to login with LDAPS authentication.
With debug logging enabled, the error below is noted:
DEBUG [http-exec-1] com.quest.nitro.service.security.auth.spi.NitroExtendedLdapLoginModule - Error connecting to LDAP server: ldaps://192.168.100.50:636/
javax.naming.CommunicationException: simple bind failed: 192.168.100.50:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] -
Cause
After an FMS upgrade the JRE (Java Runtime Environment) may get updated to a newer version, which includes a potentially updated default cacerts (CA certificate store) file. The SSL cert issuer of the LDAP server is not in the new default cacerts file. -
Resolution
WORKAROUND
As per the Upgrade Guide, this issue can be resolved with the following steps to restore the saved cacerts file to the proper folder.
NOTE: The JRE on disk is replaced completely during a Management Server
On an FMS upgrade we can see the saved cacerts file is placed in the previous version subfolder. The file that should be replaced in this example is in the $FGLHOME/jre/lib/security folder.
- Directory of: $FGLHOME/state/backup/[Foglight version]/jre/lib/security
rw- 113 KB 2017-09-24 08:46 cacerts
- Directory of: $FGLHOME/jre/lib/security
rwx 113 KB 2018-02-27 17:10 cacerts
Note: Foglight also support a separate TrustStore, which will be preserved during upgrade. For more information refer to the Importing self-signed certificates to Foglight TrustStore section in any of the Foglight Installation Guides.
STATUS: FGL-18240 was closed as 'preserve the cert file which is done as documented.
- Directory of: $FGLHOME/state/backup/[Foglight version]/jre/lib/security
-
Defect ID
FGL-18240