Adding LDAPS Certificate to the Dashboard v3 Java Trust Store


Product Name

CIS-CAT Pro Dashboard

Product Version

v3.0+

Date

Mar 16, 2023



Problem

When using LDAPS (LDAP with SSL) authentication with CIS-CAT Pro Dashboard v3, the LDAPS certificate has to be added to the Dashboard Java Trust Store.

If this is not done correctly, LDAP user authentication may fail with the following error in the /logs/ccpdlogs/ciscatpro.log file:

PKIX path building failed [...] unable to find valid certification path to requested target

Solution

1

Export your LDAPS certificate in .pfx format. The following third-party guide illustrates the process:
LDAP over SSL (LDAPS) Certificate

Copy the exported file to your Dashboard server.

2

Navigate to the Dashboard /jre/bin directory in an administrative cmd session or terminal.

  • Windows default path:
    C:\Program Files\CCPD\jre\bin

  • Linux default path:
    /usr/local/CCPD/jre/bin

3

Run the following command:

keytool -import -trustcacerts -alias ccpdldaps -file C:\my-ldaps-certificate.pfx -keystore "C:\Program Files\CCPD\jre\lib\security\cacerts"
  • For the -alias option, you can assign any value (such as ccpdldaps)

  • For the -file option, specify the full path to the LDAPS server certificate (ex. C:\my-ldaps-certificate.pfx)

  • For the -keystore option, specify the full path to the Dashboard cacerts file.

    • Windows default location:
      C:\Program Files\CCPD\jre\lib\security\cacerts

    • Linux default location:
      /usr/local/CCPD/lib/security/cacerts

4

When prompted, enter the Dashboard keystore password changeit.

5

When asked to trust this certificate, enter “yes”. The following message appears after a successful addition:
Certificate was added to keystore.

6

Restart the CIS-CAT Pro Dashboard application service to apply the new configuration.

  • Windows:
    services.msc → Restart the CCPD Windows service

  • Linux:
    sudo systemctl restart CIS-CAT_Pro_Dashboard

Should you still experience the PKIX path building failed error in the ciscatpro.log file after making the above changes, Atlassian offers a method of debugging the SSL connection via a Java utility called SSLPoke that can also be used to diagnose Dashboard’s connectivity to your LDAPS host:
https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html

As example on Windows (assuming the SSLPoke.class has been copied to CCPD\jre\bin:

C:\Program Files\CCPD\jre\bin\java.exe -Djavax.net.debug=ssl SSLPoke ldap.mydomain.com 636

Keywords; LDAPS Dashboard v3 Certificate

Content by Label


Copyright © 2024

Center for Internet Security®