Monday, April 5, 2010

SSL-HANDSHAKE ERROR- AD-USER PROVISIONING – GENRAL ERROR

How to fix this Problem

Here is the error that you might face:


java.security.cert.CertificateExpiredException: NotAfter: Thu Apr 17 13:56:25 EDT 2008
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:268)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:564)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:123)
at sun.security.validator.Validator.validate(Validator.java:202)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA12275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA12275)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:183)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:222)
at java.io.BufferedInputStream.read(BufferedInputStream.java:277)
at com.sun.jndi.ldap.Connection.run(Connection.java:784)

The meaning of the above log is finally --- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

Hot to fix – SSL Handshake Error

remove the expired (archived) certificate.

To do this, follow these steps:

  1. Open the Microsoft Management Console (MMC) snap-in where you manage the certificate store on the IAS server.
  2. If you do not already have an MMC snap-in to view the certificate store from, create one. To do so:
  3. a. Click Start, click Run, type mmc in the Open box, and then click OK.
    b. On the Console menu (the File menu in Windows Server 2003), click Add/Remove Snap-in, and then click Add.
    c. In the Available Standalone Snap-ins list, click Certificates, click Add, click Computer account, click Next, and then click Finish.

    Note You can also add the Certificates snap-in for the user account and for the service account to this MMC snap-in.
    d. Click Close, and then click OK.


  4. 1. Under Console Root, click Certificates (Local Computer).
    2. On the View menu, click Options.
    3. Click to select the Archived certificates check box, and then click OK.
    4. Expand Personal, and then click Certificates.
    5. Right-click the expired (archived) digital certificate, click Delete, and then click Yes to confirm the removal of the expired certificate.
    6. Quit the MMC snap-in. You do not have to restart the computer or any services to complete this procedure.
    7. FYI - In our case, we had to restart the AD server to take the changes in effect. This did not fix the issue without restarting.

    This is an excerpt from Microsoft's Website. Here are the links to solve this:

    http://support.microsoft.com/kb/822406/

    http://support.microsoft.com/kb/839514/

    The other problem could be your new / renewed certificate was not imported in

  5. Java cacerts keystore of OIM server.

    Use the following to connect OIM with SSL based Active Directory. This is an excerpt from OIM documentation:


     

    Installing Certificate Services – REFRENCE – OIM Connector Documentation – for Active Directory


    The connector requires Certificate Services to be running on the host computer.


     

    To install Certificate Services:


    1.Insert the operating system installation media into the CD-ROM or DVD drive.
    2.Click Start, Settings, and Control Panel.
    3.Double-click Add/Remove Programs.
    4.Click Add/Remove Windows Components.
    5.Select Certificate Services.
    6.Follow the instructions to start Certificate Services.

    Enabling LDAPS

    The target Microsoft Active Directory server must have LDAP over SSL (LDAPS) enabled.

    To enable LDAPS, generate a certificate as follows:

    1.On the Active Directory Users and Computers console, right-click the domain node, and select Properties.
    2.Click the Group Policy tab.
    3.Select Default Domain Policy.
    4.Click Edit.
    5.Click Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
    6.Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. A wizard is started.
    7.Use the wizard to add a policy with the Domain Controller template.
    At the end of this procedure, the certificate is created and LDAP is enabled using SSL on port 636.


    Setting Up the Microsoft Active Directory Certificate As a Trusted Certificate

    If the Microsoft Active Directory certificate is not issued or certified by a certification authority (CA), then set it up as a trusted certificate. To do this, you first export the certificate and then import it into the keystore of the Oracle Identity Manager server as a trusted CA certificate.
    Exporting the Microsoft Active Directory Certificate
    To export the Microsoft Active Directory certificate:


    1.Click Start, Programs, Administrative Tools, and Certification Authority.
    2.Right-click the Certification Authority that you create, and then select Properties.
    3.On the General tab, click View Certificate.
    4.On the Details tab, click Copy To File.
    5.Use the wizard to create a certificate (.cer) file using base-64 encoding.

    Importing the Microsoft Active Directory Certificate
    To import the Microsoft Active Directory certificate into the certificate store of the Oracle Identity Manager server:


     

    In a clustered environment, you must perform this procedure on all the nodes of the cluster