KB-1937 LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Rebecca Jonas — Mon, 13 May 2019 22:59:11 GMT

Current Revision posted to Appian Knowledge Base by Rebecca Jonas on 5/13/2019 10:59:11 PM

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

In addition, the LDAPS integration is not using a certificate signed by a publicly trusted CA (Certificate Authority). Instead, the certificate is self-signed or signed by an internal CA.

Cause

This error indicates that the connection is being downgraded due to a lack of trust caused by an invalid or missing SSL certificate. The installer for Appian 18.3 and later ships with Tomcat and OpenJDK, and the above symptoms suggest that the LDAP server's SSL certificate is missing from the OpenJDK truststore.

Action

Appian Self-managed

Upload the LDAP server's SSL certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Note: alternatively, using a certificate signed by a publicly trusted CA would also resolve the issue.

Appian Cloud

For Appian Cloud, it is necessary to use a certificate signed by a publicly trusted CA.

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Jordan Horwat — Mon, 13 May 2019 21:02:08 GMT

Revision 18 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 9:02:08 PM

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

In addition, the LDAPS integration is not using a certificate signed by a publicly trusted CA (Certificate Authority). Instead, the certificate is self-signed or signed by an internal CA.

Cause

Action

Appian On-Premise

Upload the LDAP server's SSL certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Note: alternatively, using a certificate signed by a publicly trusted CA would also resolve the issue.

Appian Cloud

For Appian Cloud, it is necessary to use a certificate signed by a publicly trusted CA.

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Jordan Horwat — Mon, 13 May 2019 20:51:57 GMT

Revision 17 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 8:51:57 PM

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

In addition, the LDAPS integration is not using a certificate signed by a publicly trusted CA (Certificate Authority). Instead, the certificate is self-signed or signed by an internal CA.

Cause

Action

Appian On-Premise

Upload the LDAP server's SSL certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Note: instead of following the steps above, using a certificate signed by a publicly trusted CA would also resolve the issue.

Appian Cloud

For Appian Cloud, it is necessary to use a certificate signed by a publicly trusted CA.

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Jordan Horwat — Mon, 13 May 2019 20:48:44 GMT

Revision 16 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 8:48:44 PM

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

In addition, the LDAPS integration is not using a certificate signed by a publicly trusted CA (Certificate Authority). Instead, the certificate is self-signed or signed by an internal CA.

Cause

Action

Appian On-Premise

Upload the LDAP server's SSL certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Appian Cloud

For Appian Cloud, it is necessary to use a certificate signed by a publicly trusted CA.

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Jordan Horwat — Mon, 13 May 2019 20:46:56 GMT

Revision 15 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 8:46:56 PM

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

In addition, the LDAPS integration is not using a certificate signed by a publicly trusted CA (Certificate Authority). Instead, the certificate is self-signed or signed by an internal CA.

Cause

This error indicates the connection is being downgraded due to a lack of trust caused by an invalid or missing SSL certificate. The installer for Appian 18.3 and later ships with Tomcat and OpenJDK. The above symptoms suggest that the LDAP server's SSL certificate is missing from the OpenJDK truststore.

Action

Appian On-Premise

Upload the LDAP server's SSL certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Appian Cloud

For Appian Cloud, it is necessary to use a certificate signed by a publicly trusted CA.

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Jordan Horwat — Mon, 13 May 2019 20:34:05 GMT

Revision 14 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 8:34:05 PM

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. In addition, the following conditions are true:

The LDAPS integration is not using a publicly trusted, Certificate Authority (CA) signed certificate.
- Instead, the certificate is self-signed or signed by an internal CA.
This certificate is already present in default JDK truststore.

Cause

Beginning with Appian 18.3 (when Appian ships with Tomcat), the Appian installer includes OpenJDK. When the above symptoms are encountered, it suggests that the mentioned certificate is missing from the OpenJDK truststore.

Action

Appian On-Premise

Upload the mentioned certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Appian Cloud

For Appian Cloud, it is necessary to use a publicly trusted CA signed certificate.

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Jordan Horwat — Mon, 13 May 2019 20:14:43 GMT

Revision 13 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 8:14:43 PM

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

The LDAPS integration is using a valid, Certificate Authority (CA) signed certificate.
This valid, CA signed certificate is present in default JDK truststore.

Cause

Beginning with Appian 18.3 (when Appian ships with Tomcat), the Appian installer includes OpenJDK. When the above symptoms are encountered, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Jordan Horwat — Mon, 13 May 2019 20:14:06 GMT

Revision 12 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 8:14:06 PM

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

The LDAPS integration is using a valid, Certificate Authority (CA) signed certificate.
This valid, CA signed certificate is present in default JDK trust store.

Cause

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Jordan Horwat — Mon, 13 May 2019 20:12:30 GMT

Revision 11 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 8:12:30 PM

Symptoms

LDAPS authentication is configured in the environment, but testing the configuration fails with the following error present in the application server log:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

The LDAPS integration is using a valid, Certificate Authority (CA) signed certificate.
This valid, CA signed certificate is present in default JDK trust store.

Cause

Beginning with Appian 18.3, the Appian installer includes OpenJDK. When the above symptoms are encountered, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS configuration test results in "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection" error

Jordan Horwat — Mon, 13 May 2019 20:07:48 GMT

Revision 10 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 8:07:48 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

The LDAPS integration is using a valid, Certificate Authority (CA) signed certificate.
This valid, CA signed certificate is present in default JDK trust store.

Cause

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS CA signed cert error

Jordan Horwat — Mon, 13 May 2019 20:06:51 GMT

Revision 9 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 8:06:51 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

The LDAPS integration is using a valid, Certificate Authority (CA) signed certificate.
This valid, CA signed certificate is present in default JDK trust store.

Cause

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS CA signed cert error

Jordan Horwat — Mon, 13 May 2019 19:58:16 GMT

Revision 8 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 7:58:16 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

The LDAPS integration is using a valid, Certificate Authority (CA) signed certificate.
This valid, CA signed certificate is present in default JDK trust store.

Cause

Beginning with Appian 19.1, the Appian installer includes OpenJDK. When the above symptoms are encountered, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS CA signed cert error

Jordan Horwat — Mon, 13 May 2019 19:55:40 GMT

Revision 7 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 7:55:40 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

The LDAPS integration is using a valid, Certificate Authority (CA) signed certificate.
This valid, CA signed certificate is present in default JDK trust store.

Cause

For Appian 18.3 and later, the Appian installer includes OpenJDK. When the above symptoms are met, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS CA signed cert error

Jordan Horwat — Mon, 13 May 2019 19:55:04 GMT

Revision 6 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 7:55:04 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

A valid, Certificate Authority (CA) signed certificate is used for the LDAPS integration.
This valid, CA signed certificate is present in default JDK trust store.

Cause

For Appian 18.3 and later, the Appian installer includes OpenJDK. When the above symptoms are met, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration, LDAP, authentication

DRAFT KB-XXXX LDAPS CA signed cert error

Jordan Horwat — Mon, 13 May 2019 19:53:54 GMT

Revision 5 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 7:53:54 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

A valid, Certificate Authority (CA) signed certificate is used for the LDAPS integration.
This valid, CA signed certificate is present in default JDK trust store.

Cause

For Appian 18.3 and later, the Appian installer includes OpenJDK. When the above symptoms are met, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands based on the operating system:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration

DRAFT KB-XXXX LDAPS CA signed cert error

Jordan Horwat — Mon, 13 May 2019 19:52:47 GMT

Revision 4 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 7:52:47 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

A valid, Certificate Authority (CA) signed certificate used for the LDAPS integration.
This CA signed certificate is present in default JDK trust store.

Cause

For Appian 18.3 and later, the Appian installer includes OpenJDK. When the above symptoms are met, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration

DRAFT KB-XXXX LDAPS CA signed cert error

Jordan Horwat — Mon, 13 May 2019 19:52:11 GMT

Revision 3 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 7:52:11 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

A valid, Certificate Authority (CA) signed certificate is present in default JDK trust store.

Cause

For Appian 18.3 and later, the Appian installer includes OpenJDK. When the above symptoms are met, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the OpenJDK truststore using one of the following commands:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration

DRAFT KB-XXXX LDAPS CA signed cert error

Jordan Horwat — Mon, 13 May 2019 19:51:11 GMT

Revision 2 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 7:51:11 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

A valid, Certificate Authority (CA) signed certificate is present in default JDK trust store.

Cause

For Appian 18.3 and later, the Appian installer includes OpenJDK. When the above symptoms are met, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the Open JDK Truststore using one of the following commands:

Linux

<APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts

Windows

"<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts"

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration

DRAFT KB-XXXX LDAPS CA signed cert error

Jordan Horwat — Mon, 13 May 2019 19:43:32 GMT

Revision 1 posted to Appian Knowledge Base by Jordan Horwat on 5/13/2019 7:43:32 PM

Symptoms

LDAPS is configured in the environment, and the application server log displays the following error:

ERROR com.appiancorp.security.auth.ldap.LdapTestAuthenticationFunction - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

This error suggests that the connection is being downgraded due to an invalid or missing certificate, ensuing lack of trust on the server's part. However, the following conditions are true:

A valid, Certificate Authority (CA) signed certificate is present in default JDK trust store.

Cause

For Appian 18.3 and later, the Appian installer includes OpenJDK. When the above symptoms are met, it suggests that the necessary valid, CA signed certificate is missing from the OpenJDK truststore.

Action

Upload the valid, CA signed certificate to the Open JDK Truststore using one of the following commands:

Linux: <APPIAN_HOME>/java/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME> -keystore <APPIAN_HOME>/java/jre/lib/security/cacerts.
Windows: "<APPIAN_HOME>\java\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias <ALIASNAME>-keystore "<APPIAN_HOME>\java\jre\lib\security\cacerts".

Affected Versions

This article applies to Appian versions 18.3 and later.

Last Reviewed: May 2019

Tags: installation, integration