Expand my Community achievements bar.

What is the path to import certificates to enable SSL LDAP for AEM Forms 6.5?

Avatar

Level 2

I have AEM Forms 6.5 single server on Windows, and I need to enable SSL LDAP.  According to the configuration instructions, I executed the command below:

keytool -import -alias CERTALIAS -file "E:\certificates\MY CERT Expiration 6-13-25.crt" -keystore D:\Adobe\Adobe_Experience_Manager_Forms\jre\lib\security\cacerts

 

The path is where my AEM Forms installation resides.  After executing the command, I get these results:

Trust this certificate? [no]: y
Certificate was added to keystore

 

However, the configuration test fails, with this error

11:49:30,313 INFO [com.adobe.idp.um.businesslogic.synch.LdapHelper] (default task-265) Following stacktrace is generated due to the Test LDAP Server Configuration action : javax.naming.CommunicationException: server.dom.dom.dom:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

8 Replies

Avatar

Employee Advisor

@coldwarsoldier 

I don't see any reason this test connection will fail as the certificate was added successfully. Are you able to list[0] the certificate as well?

A couple of quick checks:

- Is the AEM Forms server taking up the OOTB Java home under AEM Forms directory or something else? Usually it's under <C:\Program Files\Java\>.

- I see that the certificate was picked from a different directory (C: and D:) and the certificate name has spaces (although you have given the path in quotes). Do list the certificate to cross-check this one.

 

[0] - 

keytool -list -keystore cacerts -alias CERTALIAS

 

Avatar

Level 2

Thank you Pulkit for your insight full help.  I successfully imported the certificates to all the Java keystores in my server:

"C:\Program Files\Java\jdk-11.0.15.1\lib\security\cacerts"

"C:\Program Files (x86)\Java\jre1.8.0_341\lib\security\cacerts"

D:\Adobe\Adobe_Experience_Manager_Forms\jre\lib\security\cacerts

The last path is where AEM Forms program is installed.  I also can list the certificates, when I execute this command:  

keytool -list -keystore cacerts -alias CERTALIAS

Yesterday before I left, I got a different error. Here is the error:

14:35:53,110 INFO [com.adobe.idp.um.businesslogic.synch.LdapHelper] (default task-216) Following stacktrace is generated due to the Test LDAP Server Configuration action : javax.naming.ServiceUnavailableException: server.dom.dom.com:636; socket closed

But today, I am back to the original error:

08:05:12,451 INFO [com.adobe.idp.um.businesslogic.synch.LdapHelper] (default task-540) Following stacktrace is generated due to the Test LDAP Server Configuration action : javax.naming.CommunicationException: server.dom.dom.com:636:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

 

Avatar

Employee Advisor

@coldwarsoldier 

Multiple computer drives, so it's creating some confusion  

The new error msg looks a little off to me (e.g. - .... server.dom.dom.com:636:636 ....- two ports?) unless it's a typo.

Could you enable the debug logs for "com.adobe.idp.um" package and share the logs from the window of the test connection?

 

 

Avatar

Level 2

I am even more confused,  hence my original questions.  I have been chasing my tail with this problem for over two days.

 

The 636:636 duplicate port is a copy and paste mistake on my part.

 

How do I enable debug for "com.adobe.idp.um" package? Is this done standalone.cong.bat or Adobe Experience Manager Web Console Bundles?  Can you please provide more details on how to enable?  Thanks.

Avatar

Employee Advisor

@coldwarsoldier 

This should help - https://experienceleague.adobe.com/docs/experience-manager-learn/forms/troubleshooting/steps-to-enab... 

For a quick turnaround on this issue, I suggest you raise a ticket with support and get the settings reviewed over a screen share.

Avatar

Level 2

Thank you Pulkit for all your help. I will open a support ticket.