TrustStore and reocurring “unable to find valid certification path to requested target”

Question

I am trying to use Spring Security to authenticate users against Active Directory. So far I was using LDAP protocol, but now I would like to use LDAPS.

I followed this article http://blogs.oracle.com/gc/entry/unable_to_find_valid_certification and it works. I was able to bind user against AD successfully using LDAPS.

But after a while (15 - 30min), when I try to log in, I get this exception again:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)

and then I am no longer able to use LDAPS. I tried to:

• restart tomcat
• add certificate directly to cacerts
• starting tomcat with path to trustStore by using env property -Djavax.net.ssl.trustStore

Only thing that works is to recreate jssecacerts completely. It is not enough just copy existing jssecacerts to jre/lib/security, it MUST be new file. I just do not understand...

My enviroment is: java 1.6.0_26, tomcat 7.0.20, spring 3.0.5, spring security 3.1RC2

Am I doing something wrong?

Thanks

Answer 1

Ok, so I probably found solution. I did not know that behind one Active Directory URL are many physical machine :) When I used InstallCert it rewrote and generated new keystore with only one current certificate. That was reason why it sometimes worked and sometimes did not. I also found that all certificates are signed by one CA. After adding CA's certificate to trustStore it started finally work.