1. Has the CA cert been integrated with SImA?
During initial installation the command to use is:
$ install.sh -h xx.xx.xx.xx –ldap-ca-cert path/to/ldap-ca.crt
Post-installation, update the webserver to include the LDAP CA certificate using the configure_webserver.sh script found in the SImA_INSTALL_DIR/nginx directory as shown below:
$ configure_webserver.sh --ldap-ca-cert path/to/new-CA.crt --restart-sima --update-ldap-cert-only
2. If the CA cert has been correctly added but the connection and/or authentication still fails, check the keycloak log for errors. You can assess the log for the keycloak service interactively like this:
$ docker service logs -f SImA_keycloak
Alternatively you can obtain a full set of log files as described here.
In the below example taken from the SImA_keycloak.log, the error points to a problem with the certificate and/or certificate chain:
ERROR [org.keycloak.services] (default task-2) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: MY_SERVER:636: javax.naming.CommunicationException: simple bind failed: MY_SERVER:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
3. Check with the Active Directory/LDAP Provider to confirm the certificate is correct. In the case of a certificate bundle, several certificates will have been combined into a single .crt file. The order in which the certificates are added to the bundle can sometimes impact whether or not authentication to the LDAP/AD server is successful.
For example if the order of certificates within the bundle is Server Certificate -> Intermediate Certificate -> Root Certificate, and this fails to authenticate, try changing the order when combining/compiling the .crt file e.g.
Root Certificate -> Intermediate Certificate -> Server certificate