Skip to main content
Nintex Community Menu Bar

Topic

While changing the URL from LDAP to LDAPS in LDAPS for the Federation, a successful connection was shown, but testing the Authentication produced an error. When checking the Aerobase logs, these errors were found:

12:02:46,779 ERROR [org.keycloak.services] (default task-4) KC-SERVICES0055: Error when authenticating to LDAP: null: javax.naming.CommunicationException [Root exception is javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException:...

This error is produced from Java, and a Certificate for the Java Keystore needs to be added.

Instructions

If an SSL certificate signed by an authority trusted by Java is not being used, a certificate will need to be added to the Java Keystore.

  • It is preferred and recommended that a trusted certificate is used since using an untrusted certificate, such as a self-signed certificate, will cause web services communication to fail with the SSLHandshakeException error.
  • In the log, we constantly see errors: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException...
  • The certificate that is added to the KeyStore will need to be the CA/root CA of the certification chain used on the Domain Controller.

Import a certificate to the Java Keystore

  1. Find the Java Home path by typing in the search bar %Java_Home%
  2. Copy the default keystore <Java_Home>/lib/security/cacerts as <Java_Home>/lib/security/jssecacerts.
  3. This will leave the original CAcerts file available as a backup. JSSE will use the jsseCAcerts file, if present, instead of CAcerts. JsseCAcerts needs to start as a copy of CAcerts, which it overrides rather than extends.
  4. Import the certificate to the jsseCAcerts keystore using the following command:
    "C:\Nintex\IDP\Aerobase\Aerobase\embedded\openjdk\jre\bin\keytool" -importcert -file "C:\Users\LocalAdmin\Desktop\KryonCert.cer" -alias Kryon14-126.kryonaws.com -keystore
    "C:\Nintex\IDP\Aerobase\Aerobase\embedded\openjdk\jre\lib\security\jssecacerts" -storepass changeit
    NOTE: The command needs to run as Administrator, and the Certificate must be a valid X.509 (.CER) file.
  5. Default syntax is as below:
    $JDK_HOME/bin/keytool -importcert -file $CERT -alias $ALIAS -keystore $JDK_HOME/lib/security/jssecacerts -storepass changeit
    Replace $JDK_HOME with your actual JDK home path.
    Replace $CERT with the path to the certificate you previously installed in the system.
    Replace $ALIAS with the preferred alias to be used in the keystore.
    NOTE: That changeit is the default password for Java's CAcerts file. Check whether it has been changed on your system.
    NOTE: Always place the command in a notepad to avoid extra formatting characters. Also, the command needs to be run on a single line.
  6. The output of the command should be as shown below:

     

  7. If another output is received, there is likely an error somewhere in the command, or a wrong path was used. To resolve:
    On the Trust this Certificate, enter y and press Enter.
    This output should be received:
    After successfully importing the certificate to the Java Keystore, restart all Nintex Services.
    Re-attempt to finish the LDAPS Federation Settings.
Be the first to reply!
Sidebar Buttons
Nintex Community Home Contact Nintex Support Email Nintex Community Check Nintex Status
Terms & ConditionsCookie SettingsAccessibility statement