old ARIS 7.2 Business Publisher Server - LDAPS doesn't work

Hi Michaela,

Did you restart the Publisher ?

If you manage users via an LDAP system, authentication is performed using this system. To map LDAP user groups to ARIS user groups, you need to customize the configuration file. 

Procedure 
1. Open ..\BPServer\tomcat\webapps\businesspublisher\config\webappserver.cfg 
and specify the required <ldap> settings. 

2. Restart ARIS Business Publisher Server

BR

AO

Hello André,

as mentioned in my first post I changed both settings in the webappserver.cfg from LDAP to LDAPS.
And I did a restart of the Publisher Server.
 

Regards,
Michi

Hi Michaela

Please you have to do a doublecheck in these files again to see all ldap settings.

Checking webappserver.cfg for selected login type

BPServer\tomcat\webapps\businesspublisher\config\webappserver.cfg and find 

<LoginModuleSection value="UMCLogin"/>
<!-- ldapproviderurl specifies the LDAP server´s URL -->
<!-- this is the main setting for LDAP-support. If an LDAP-Server is used, this setting must -->
<!-- contain the URL. If LDAP is not being used, this setting MUST be empty (""). -->

<ldapproviderurl value="ldaps://xxxxxx:389"

<ldapdefaultaccount value="CN=Administrator,CN=Users,DC=XX,DC=XX,DC=XX" />

<ldapdefaultpwd value="password" /> PLACE YOUR PW here

<usersearchpath value="OU=XXX-Users,DC=XXX,DC=xxx,DC=XXX"/>

<groupsearchpath value="OU=XXX-HC,OU=Security Group,DC=XXX,DC=XXXX,DC=XX"/>

The LoginModuleSection value = UMC and also check this file:

umcconfig.cfg

If you still have issues, open the Log files to get more details about what is going on...

\businesspublisher\log\externalSystems\ldap-7.XXXX.log
\businesspublisher\log\
\businesspublisher\log\core\issues\

On these folders you have the log 'bpErrorxxxxx.log' and have more details .. you can post here.

Although the configuration is described in quick_start_guide_aris_bpub_s.pdf - available on DVD

BR

AO

Hello André,

here are my settings:

<!-- LoginModuleSection is the section in the JAAS-configuration-file (BPLogin.cfg by default), -->
<!-- which is used for the login process. The configuration-file can contain several sections. -->
<!-- This setting chooses the active one. The other ones are being ignored. -->
<!-- The file originally contains 2 sections: -->
<!--   - NativeLogin uses only BP´s own login mechanism. -->
<!--   - BPLogin uses BP´s own login mechanism only for "root" and anomymous and LDAP for others. -->
<!-- (It is possible to alter the login process by additional login modules and/or configuration sections.)  ->
<!-- If the selected module contains the class ABPLdapLogin, the other settings in this <ldap>-   -->
<!-- section must be properly specified. If only the class ABPNativeLogin is used, -->
<!-- the other settings in this section are ignored, but ldapproviderurl MUST be "" in this case.  -->
<LoginModuleSection value="BPLogin"/>
<!-- LoginModuleSection value="NativeLogin"/>  -->

<ldapproviderurl value="ldaps://10.0.3.6:636"/>
<ldapdefaultaccount value="CN=ldap-aris,OU=Benutzer,OU=EDV,OU=Verwaltung,DC=whu,DC=edu"/>   is correct
<ldapdefaultpwd value="XXXX"/>    is correct
<usersearchpath value="DC=whu,DC=edu"/>
<groupsearchpath value="DC=whu,DC=edu"/>

*****

But I saw a hint in the \businesspublisher\log\externalSystems\ldap-7.XXXX.log

Exception from 'ldaps://10.0.3.6:636'.
javax.naming.CommunicationException: simple bind failed: 10.0.3.6:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

*****

We are using a wildcard certificate for our domain. I think I will have to put it somewhere on the BPSERVER. But I don't find any instructions in the PDF. Can you help me?

Thanks and regards,

Michi

HI Michi

The exception you see means that the Sun JRE does not accept the certificate (e.g. it is a self-signed one or from a non-trusted CA).

There are two ways to solve this:

1) Use a certificate signed by a CA with the correct computername
2) Install the self-signed CA on each clients Java. This means you need to modify any client-installation cacerts-file from the used Java JRE.

Please refer the 'installation_administration_guide.pdf' from DVD for details about to provide the certificate ..

One suggestion test, could check if the ARIS works fine using SSL before to see in ABP side..

BR

AO