You are currently reviewing an older revision of this page.

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. In addition, the following conditions are true:

  • The LDAPS integration is not using a publicly trusted, Certificate Authority (CA) signed certificate.
    • Instead, the certificate is self-signed or signed by an internal CA.
  • This certificate is already present in default JDK truststore.

Cause

Beginning with Appian 18.3 (when Appian ships with Tomcat), the Appian installer includes OpenJDK. When the above symptoms are encountered, it suggests that the mentioned certificate is missing from the OpenJDK truststore.

Action

Appian On-Premise

Upload the mentioned certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Appian Cloud

For Appian Cloud, it is necessary to use a publicly trusted CA signed certificate.

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019