KB-1937 LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

In addition, the LDAPS integration is not using a certificate signed by a publicly trusted CA (Certificate Authority). Instead, the certificate is self-signed or signed by an internal CA.

Cause

This error indicates that the connection is being downgraded due to a lack of trust caused by an invalid or missing SSL certificate. The installer for Appian 18.3 and later ships with Tomcat and OpenJDK, and the above symptoms suggest that the LDAP server's SSL certificate is missing from the OpenJDK truststore.

Action

Appian On-Premise

Upload the LDAP server's SSL certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Note: alternatively, using a certificate signed by a publicly trusted CA would also resolve the issue.

Appian Cloud

For Appian Cloud, it is necessary to use a certificate signed by a publicly trusted CA.

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Related
Recommended