Invalid LDAP certificate results in U00045015 Java security error

Document ID : KB000087348
Last Modified Date : 14/04/2018
Show Technical Document Details
Issue:
Error Message :
U00045015 The previous error was caused by 'java.security.ProviderException: "java.security.KeyException"' at 'sun.security.ec.ECKeyPairGenerator.generateKeyPair():147'.

LDAP authentication using SSL requires a certificate. If the certificate becomes invalid the following can be see in the WP log:

20171031/155928.783 - U00045040 LDAP check with logon user 'CORP\5219259' failed. 
20171031/155950.662 - U00045033 Log on to LDAP server '<domain here>:636;<domain here>:636' with user 'CORP\890869'. 
20171031/155950.671 - U00045014 Exception 'javax.naming.CommunicationException: "simple bind failed: corpedcw.prod.fedex.com:636"' at 'com.sun.jndi.ldap.LdapClient.authenticate():219'. 
20171031/155950.672 - U00045015 The previous error was caused by 'javax.net.ssl.SSLException: "java.security.ProviderException: java.security.KeyException"' at 'sun.security.ssl.Alerts.getSSLException():208'. 
20171031/155950.672 - U00045015 The previous error was caused by 'java.security.ProviderException: "java.security.KeyException"' at 'sun.security.ec.ECKeyPairGenerator.generateKeyPair():147'. 
20171031/155950.673 - U00045015 The previous error was caused by 'java.security.KeyException: "null"' at 'sun.security.ec.ECKeyPairGenerator.generateECKeyPair():-2'.

Environment:
OS Version: N/A
Cause:
Cause type:
Configuration
Root Cause: LDAP certification has become invalid.
Resolution:

Multiple things could cause this to happen. First thing to check is what version of Java is used to start the JWP. This can be done using the command below:
 

java -version


Once you know what version of Java is being used, make sure that it is the expected version. If the Java version being used is different than the Java version used to generate the certificate then the error above can be seen.

We provide instructions on generating the certification file:

  1. Go to the jre\lib\security folder of the Java installation and import the certificate with the keytool command:

keytool -keystore cacerts -importcert -alias ldapServer -file certficate.cer

When prompted to trust this certificate respond by typing "Y".

Another option to install the certificate is the command line parameter -installcert of the Java Work Process.
 

java -jar ucsrvjp.jar -installcert <host>:<sslport>


This assumes that the Java Work Process has write access to the cacerts file of the Java installation.

This command detects the path of cacerts, connects to the specified host and port and tries to create an SSL connection.

If a certificate is missing, the message "unable to find valid certification path to requested target" is printed and the missing certificate is downloaded and stored in the cacerts file.



Fix Status: No Fix

Fix Version(s):
N/A
Additional Information:
Workaround :
N/A