CAST Imaging System - GUI - Login - Authentication - LDAP Authentication - Login failure due to exception javax.net.ssl.SSLHandshakeException: PKIX path building failed

Created by Deepak Kumar, last modified by John McMahon on Jan 27, 2023
Purpose

   This page will guide you to solve the login error 'PKIX path building failed' when imaging is configured to use ldaps authentication. 

   Error log : 

[Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

For more information refer to : Configuring authentication using LDAP/LDAPS

Applicable Platform


Imaging version

Yes/No

2.x(tick)
Step by Step scenario

  1. Configure LDAPS authentication for imaging.

  2. Enable ldap debug mode by adding below lines in application.properties file( path : %APPDATA%\CAST\ImagingSystem\login)

          logging.level.org.castsoftware.aip.console.services.ldap=debug
          logging.level.org.springframework.security.ldap=debug
          logging.level.org.springframework.ldap=debug

       3.  Restart service "CAST Imaging - login service"

       4. Login fails due to error "Incorrect username or password. please try again."

       5. Observe below exception from loginservice.log(path : <Imaging-install-path>\logs).

[Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Action Plan

Error "PKIX path building failed"  during ldaps authentication occurs when ssl certificate of the ldap server is not present in the trust store of embedded jdk used by imaging system. 

Perform the below actions to import the ssl certificate to trust store.

  1. Contact your IT team and get the ssl certificate of ldap server in .cer or .crt format.
  2. Navigate to path "<Imaging-install-path>\jdk\bin" and open command prompt.

  3. Run the below command. 

     keytool -importcert -trustcacerts -file <certificate file> -keystore "<imagingsystem-install-path>\jdk\lib\security\cacerts" -storepass <password>

          <certificate file>: the path to the file containing the CER-encoded certificate

           <storepass> :  Password for the CA certs key store. Default password is "changeit"
  4. Restart service "CAST Imaging - login service" .
  5. If the above steps do not solve your issue contact CAST Technical Support with the Relevant input in order to reproduce the issue.   

 

Notes/comments

Ticket # 39083

Related Pages