This document demonstrates on how to check-in Ldap cacerts after SI/JDK upgradation in sterling Integrator
Authentication log shows error as ERRORDTL as javax.naming.communication:simple bind failed: [Root exception is javax.net.ssl SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed:java.security.cert.certpathBuilderException:PKIXcertpathBuilderImple could not build a valid certpath; internal cause is ; java.security.cert.certpathValidatorException: The Certificate issued by CN=XXXX root CA is not trusted;internal Cuase is
After JDK upgrade or SI Upgrade contents under si_install/jdk/jre/lib/security get vanished, LDAP authentication is looking for si_install/jdk/jre/lib/security/cacerts and finding it is missing.
1.Go to si_install/jdk/bin and execute
./keytool -list -v -keystore si_install/jdk/jre/lib/security >output.txt
Password should be changeit
2.check below parameters in output.txt
b.Owner,Issuer,Valid from and Certificate fingerprints and also Signature algorithm
User needs to copy certificates to si_install/jdk/bin recheck-in the cacerts using keytool as below command
./keytool -importcert -trustcerts -alias <alias nam> -f <certificate name> -keystore si_install/jdk/jre/lib/security/cacerts
Note: If you have multiple certificates from LDAP, import the certificates as above command.
Please refer for LDAP authentication configuration https://www.ibm.com/support/knowledgecenter/en/SS3JSW_5.2.0/com.ibm.help.security.doc/SI_ConfigLDAPwithSI.html
Also LDAP_SECURITY_TRUSTSTORE= si_install/jdk/jre/lib/security/cacerts
After the cacerts loading, SI needs to be rebooted
SI or JDK upgrade required re-keytooling always with SI restart