/
Adding LDAPS Certificate to the Dashboard v3 Java Trust Store

Adding LDAPS Certificate to the Dashboard v3 Java Trust Store

Owned by Allan Cornwell, created
Last updated: Aug 20, 2024
2 min read

Product Name

CIS-CAT Pro Dashboard

Product Version

v3.0+

Date

Mar 16, 2023

Problem

When using LDAPS (LDAP with SSL) authentication with CIS-CAT Pro Dashboard v3, the LDAPS certificate has to be added to the Dashboard Java Trust Store.

If this is not done correctly, LDAP user authentication may fail with the following error in the /logs/ccpdlogs/ciscatpro.log file:

PKIX path building failed [...] unable to find valid certification path to requested target

Solution

1

Export your LDAPS certificate in .pfx format. The following third-party guide illustrates the process:
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx#Exporting_the_LDAPS_Certificate_and_Importing_for_use_with_AD_DS

Copy the exported file to your Dashboard server.

2

Navigate to the Dashboard /jre/bin directory in an administrative cmd session or terminal.

  • Windows default path:
    C:\Program Files\CCPD\jre\bin

  • Linux default path:
    /usr/local/CCPD/jre/bin

3

Run the following command:

keytool -import -trustcacerts -alias ccpdldaps -file C:\my-ldaps-certificate.pfx -keystore "C:\Program Files\CCPD\jre\lib\security\cacerts"

  • For the -alias option, you can assign any value (such as ccpdldaps)

  • For the -file option, specify the full path to the LDAPS server certificate (ex. C:\my-ldaps-certificate.pfx)

  • For the -keystore option, specify the full path to the Dashboard cacerts file.

    • Windows default location:
      C:\Program Files\CCPD\jre\lib\security\cacerts

    • Linux default location:
      /usr/local/CCPD/lib/security/cacerts

4

When prompted, enter the Dashboard keystore password changeit.

5

When asked to trust this certificate, enter “yes”. The following message appears after a successful addition:
Certificate was added to keystore.

6

Restart the CIS-CAT Pro Dashboard application service to apply the new configuration.

  • Windows:
    services.msc → Restart the CCPD Windows service

  • Linux:
    sudo systemctl restart CIS-CAT_Pro_Dashboard

Should you still experience the PKIX path building failed error in the ciscatpro.log file after making the above changes, Atlassian offers a method of debugging the SSL connection via a Java utility called SSLPoke that can also be used to diagnose Dashboard’s connectivity to your LDAPS host:
Unable to Connect to SSL Services Due to 'PKIX Path Building Failed' Error | Atlassian Support | Atlassian Documentation

As example on Windows (assuming the SSLPoke.class has been copied to CCPD\jre\bin:

C:\Program Files\CCPD\jre\bin\java.exe -Djavax.net.debug=ssl SSLPoke ldap.mydomain.com 636

Keywords; LDAPS Dashboard v3 Certificate

Content by Label

Copyright © 2024

Center for Internet Security®

 

Related content

Administrative Templates Section on CIS-CAT Report
Administrative Templates Section on CIS-CAT Report
SBP Customer Facing Knowledge Base
Read with this
Dashboard v3 Certificate FAQs
Dashboard v3 Certificate FAQs
SBP Customer Facing Knowledge Base
More like this
As a Dashboard admin I need to change a user's password but the reset email wasn't set up at install
As a Dashboard admin I need to change a user's password but the reset email wasn't set up at install
SBP Customer Facing Knowledge Base
Read with this
Updating CIS-CAT Pro Dashboard TLS/SSL Certificate during an unsuccessful installation
Updating CIS-CAT Pro Dashboard TLS/SSL Certificate during an unsuccessful installation
SBP Customer Facing Knowledge Base
More like this
Permission errors on the /tmp partition.
Permission errors on the /tmp partition.
SBP Customer Facing Knowledge Base
Read with this
Replacing Expired Dashboard TLS Certificate
Replacing Expired Dashboard TLS Certificate
SBP Customer Facing Knowledge Base
More like this