Troubleshooting
Problem
LDAP authentication is not working anymore and the CA changes signature.
Symptom
In the in auth-idp platform-auth-service log :
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=LDAP.CM-XXXX was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate issued by XXXXXX, DC=cm-cic, DC=fr is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match.
Cause
One possible cause of this error is that the certificate used is corrupted.
Environment
- Product Version: ICP 3.1.0 , 3.1.2
- Platform: Linux 64-Bit
- Operating System: Red Hat Enterprise Linux (RHEL) 7.6
- Service Type: BreakFix
- Problem Area: Security
Resolving The Problem
To resolve this issue you just need to import the new certificate of LDAP server and restart auth-idp pods.
See the documentation on how to configure LDAP
If restart didn’t work, then just Edit Connection and Save again the LDAP connection details to pick the new certificate.
Please make sure you followed the steps properly and update the secret ldaps-ca-cert.
You can check once if it exists or not by running below command:
kubectl -n kube-system get secret | grep ldaps
You can also refer to the following technote
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"ARM Category":[{"code":"a8m50000000Ck42AAC","label":"IBM Cloud Private->Security"}],"ARM Case Number":"TS003795200","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]
Product Synonym
Ldap authentication failed: CWPKI0022E: SSL HANDSHAKE FAILURE, pods auth-idp, auth-pdp not working
Was this topic helpful?
Document Information
Modified date:
08 June 2020
UID
ibm16220984