Thanks Neethiraj,
I tried above solution but it still gives following logs
07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Starting User
Sync Service!
07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Enabling Unix
Auth Service!
07 Oct 2015 01:50:35 INFO UserGroupSync [UnixUserSyncThread] -
initializing sink:
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
07 Oct 2015 01:50:36 WARN NativeCodeLoader [main] - Unable to load
native-hadoop library for your platform... using builtin-java classes where
applicable
07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
Protocol: [SSLv2Hello]
07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1]
07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1.1]
07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1.2]
07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder created
07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] -
initializing source:
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] - Begin:
initial load of user/group from source==>sink
07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder updateSink started
07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization started
07 Oct 2015 01:50:39 ERROR UserGroupSync [UnixUserSyncThread] - Failed to
initialize UserGroup source/sink. Will retry after 3600000 milliseconds.
Error details:
javax.naming.CommunicationException: simple bind failed: example.com:636
[Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
at
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
at
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
... 14 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 33 more
On Wed, Oct 7, 2015 at 1:19 AM, Selvamohan Neethiraj <sneet...@apache.org>
wrote:
> Thanks Aneela,
>
> This indicates to me that you are using a self-signed certificate (
> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com ) for the
> ldap server.
> Is this certificate added to the Java truststore file (
> ${JAVA_HOME}/jre/lib/security/cacerts) ?
>
> If that is already done, please add the following SSL debug flag to the
> usersync process and run the usersync to see more detailed SSL error
> message (in the stdout file) …
>
> * -Djavax.net.debug=all*
>
> Please let us know if this provides more details to identify the issue …
>
> Thanks,
>
> Selva-
>
> From: Aneela Saleem <ane...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Tuesday, October 6, 2015 at 4:06 PM
>
> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>
> Hi Neethiraj,
>
> Following is the output of above command. Sorry i have changed domain name
> to now example.com
>
>
> CONNECTED(00000003)
> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform,
> CN = example.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform,
> CN = example.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform,
> CN = example.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
>
> -----BEGIN CERTIFICATE-----
> MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
> BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
> MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
> UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG
> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV
> Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO
> EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj
> popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S
> hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE
> NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5
> MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
> cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME
> GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL
> ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt
> nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K
> XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI
> R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH
> CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK
> bA+MDpEjs64kRdaC2w==
> -----END CERTIFICATE-----
> 1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
> -----BEGIN CERTIFICATE-----
> MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
> BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
> MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
> UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x
> FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95
> nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb
> P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl
> Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r
> QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl
> FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu
> ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU
> vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi
> WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk
> 3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3
> kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO
> uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91
> chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1
> iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G
> L1ndgIax4Q==
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
> issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2368 bytes and written 663 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : AES256-SHA256
> Session-ID:
> 634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825
> Session-ID-ctx:
> Master-Key:
> 84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740F30621A58484E8BF6E03
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1444161895
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> DONE
>
>
> On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj <
> sneethi...@hortonworks.com> wrote:
>
>> Aneela:
>>
>>
>> To verify the certificate (chain), can you run the following command and
>> send us the output of the command ?
>>
>>
>> $ openssl s_client -showcerts -connect platalytics.com:636 < /dev/null
>>
>>
>>
>> Thanks,
>>
>> Selva-
>>
>> From: Aneela Saleem <ane...@platalytics.com>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Monday, October 5, 2015 at 1:16 PM
>> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
>>
>>
>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>
>> No there are no intermediate certificates. No i'm not using same trust
>> store for performing ldapsearch. I'm using
>> *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file
>>
>> On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu <
>> spolavar...@hortonworks.com> wrote:
>>
>>> Are there any intermediate certs? If so, are they also added in the
>>> trust store?
>>> And just to make sure, in the ldap configuration, are you using same
>>> trust store for performing ldapsearch?
>>>
>>>
>>> From: Aneela Saleem
>>> Reply-To: "user@ranger.incubator.apache.org"
>>> Date: Sunday, October 4, 2015 at 10:15 AM
>>>
>>> To: "user@ranger.incubator.apache.org"
>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>
>>> Is there any issue with JAVA keystore?
>>>
>>> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com>
>>> wrote:
>>>
>>>> Yes following command works fine
>>>>
>>>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
>>>> ldaps://platalytics.com:636 -b "dc=platalytics,dc=com" -s sub
>>>> 'cn=aneela'
>>>>
>>>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org>
>>>> wrote:
>>>>
>>>>> It is surprising that it will just stop working. Are you able to do
>>>>> ldapsearch from command line? Just to make sure there is nothing wrong on
>>>>> the OpenLDAP side?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Bosco
>>>>>
>>>>>
>>>>> From: Aneela Saleem <ane...@platalytics.com>
>>>>> Reply-To: <user@ranger.incubator.apache.org>
>>>>> Date: Thursday, October 1, 2015 at 11:55 PM
>>>>>
>>>>> To: <user@ranger.incubator.apache.org>
>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>
>>>>> I also checked it on another machine. Same issue is there
>>>>>
>>>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com
>>>>> > wrote:
>>>>>
>>>>>> I guess no JDK changes. And i re-checked certificate infact generated
>>>>>> a new one. Still same issue.
>>>>>>
>>>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Aneela,
>>>>>>> Please check whether the certificate has expired.
>>>>>>> Dilli
>>>>>>>
>>>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Any other changes you can think of? JDK changes, etcs?
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Bosco
>>>>>>>>
>>>>>>>>
>>>>>>>> From: Aneela Saleem <ane...@platalytics.com>
>>>>>>>> Reply-To: <user@ranger.incubator.apache.org>
>>>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>>>>>> To: <user@ranger.incubator.apache.org>
>>>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>>>>
>>>>>>>> It was working fine one month ago. But now the same issue is
>>>>>>>> occurred.
>>>>>>>>
>>>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <
>>>>>>>> ane...@platalytics.com> wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> I followed all the following steps i.e.,
>>>>>>>>>
>>>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>>
>>>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem
>>>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>>>>
>>>>>>>>> Add java option
>>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>>>>>>>> /ranger-usersync/userSyncCAcerts
>>>>>>>>> To
>>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>>>>
>>>>>>>>> Where it invokes java command like the following
>>>>>>>>>
>>>>>>>>> nohup java
>>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>> . . .
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>>>>>> validation issues. Following are the logs
>>>>>>>>>
>>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>>> Starting User Sync Service!
>>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Unix Auth Service!
>>>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>>> initializing sink:
>>>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to
>>>>>>>>> load native-hadoop library for your platform... using builtin-java
>>>>>>>>> classes
>>>>>>>>> where applicable
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Protocol: [SSLv2Hello]
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Protocol: [TLSv1]
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Protocol: [TLSv1.1]
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Protocol: [TLSv1.2]
>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder created
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>>> initializing source:
>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>>> Begin: initial load of user/group from source==>sink
>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>>> [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
>>>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] -
>>>>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000
>>>>>>>>> milliseconds. Error details:
>>>>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>>>>> platalytics.com:636 [Root exception is
>>>>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>>>> find
>>>>>>>>> valid certification path to requested target]
>>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>>>>> at
>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>>>>> at
>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>>>>> at
>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>>>>>>>> at
>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>>>>>>>> at
>>>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>>>>> at
>>>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>>>>> at
>>>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>>>>> at
>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>>>>>>>> at
>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>>>>>>>> at
>>>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>>>> find
>>>>>>>>> valid certification path to requested target
>>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>>>>> at
>>>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>>>>> at
>>>>>>>>> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>>>>> ... 14 more
>>>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>>>>>>>> building failed:
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>>>> find
>>>>>>>>> valid certification path to requested target
>>>>>>>>> at
>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>>>>> at
>>>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>>>>>>>> ... 27 more
>>>>>>>>> Caused by:
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>>>> find
>>>>>>>>> valid certification path to requested target
>>>>>>>>> at
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>>>>>>>> at
>>>>>>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>>>>> at
>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>>>>> ... 33 more
>>>>>>>>>
>>>>>>>>> And following is the output of nohup command:
>>>>>>>>>
>>>>>>>>> Host key verification failed.
>>>>>>>>>
>>>>>>>>> Can someone please help me figure out the issue?
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
