Thanks Neethiraj, I tried above solution but it still gives following logs
07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Starting User Sync Service! 07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service! 07 Oct 2015 01:50:35 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder 07 Oct 2015 01:50:36 WARN NativeCodeLoader [main] - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello] 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1] 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1] 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2] 07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder created 07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder 07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started 07 Oct 2015 01:50:39 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details: javax.naming.CommunicationException: simple bind failed: example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) ... 14 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) ... 27 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 33 more On Wed, Oct 7, 2015 at 1:19 AM, Selvamohan Neethiraj <sneet...@apache.org> wrote: > Thanks Aneela, > > This indicates to me that you are using a self-signed certificate ( > i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com ) for the > ldap server. > Is this certificate added to the Java truststore file ( > ${JAVA_HOME}/jre/lib/security/cacerts) ? > > If that is already done, please add the following SSL debug flag to the > usersync process and run the usersync to see more detailed SSL error > message (in the stdout file) … > > * -Djavax.net.debug=all* > > Please let us know if this provides more details to identify the issue … > > Thanks, > > Selva- > > From: Aneela Saleem <ane...@platalytics.com> > Reply-To: "user@ranger.incubator.apache.org" < > user@ranger.incubator.apache.org> > Date: Tuesday, October 6, 2015 at 4:06 PM > > To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> > Subject: Re: Issues with usersync (LDAPS certificate not validated) > > Hi Neethiraj, > > Following is the output of above command. Sorry i have changed domain name > to now example.com > > > CONNECTED(00000003) > depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, > CN = example.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, > CN = example.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, > CN = example.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com > i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com > > -----BEGIN CERTIFICATE----- > MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV > BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw > DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2 > MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG > UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw > DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG > SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV > Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO > EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj > popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S > hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE > NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5 > MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl > cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME > GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL > ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt > nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K > XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI > R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH > CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK > bA+MDpEjs64kRdaC2w== > -----END CERTIFICATE----- > 1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com > i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com > -----BEGIN CERTIFICATE----- > MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV > BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw > DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2 > MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG > UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x > FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB > CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95 > nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb > P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl > Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r > QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl > FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu > ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU > vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi > WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk > 3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3 > kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO > uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91 > chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1 > iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G > L1ndgIax4Q== > -----END CERTIFICATE----- > --- > Server certificate > subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com > issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com > --- > No client certificate CA names sent > --- > SSL handshake has read 2368 bytes and written 663 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : AES256-SHA256 > Session-ID: > 634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825 > Session-ID-ctx: > Master-Key: > 84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740F30621A58484E8BF6E03 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1444161895 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > DONE > > > On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj < > sneethi...@hortonworks.com> wrote: > >> Aneela: >> >> >> To verify the certificate (chain), can you run the following command and >> send us the output of the command ? >> >> >> $ openssl s_client -showcerts -connect platalytics.com:636 < /dev/null >> >> >> >> Thanks, >> >> Selva- >> >> From: Aneela Saleem <ane...@platalytics.com> >> Reply-To: "user@ranger.incubator.apache.org" < >> user@ranger.incubator.apache.org> >> Date: Monday, October 5, 2015 at 1:16 PM >> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> >> >> >> Subject: Re: Issues with usersync (LDAPS certificate not validated) >> >> No there are no intermediate certificates. No i'm not using same trust >> store for performing ldapsearch. I'm using >> *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file >> >> On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu < >> spolavar...@hortonworks.com> wrote: >> >>> Are there any intermediate certs? If so, are they also added in the >>> trust store? >>> And just to make sure, in the ldap configuration, are you using same >>> trust store for performing ldapsearch? >>> >>> >>> From: Aneela Saleem >>> Reply-To: "user@ranger.incubator.apache.org" >>> Date: Sunday, October 4, 2015 at 10:15 AM >>> >>> To: "user@ranger.incubator.apache.org" >>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>> >>> Is there any issue with JAVA keystore? >>> >>> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com> >>> wrote: >>> >>>> Yes following command works fine >>>> >>>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H >>>> ldaps://platalytics.com:636 -b "dc=platalytics,dc=com" -s sub >>>> 'cn=aneela' >>>> >>>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> >>>> wrote: >>>> >>>>> It is surprising that it will just stop working. Are you able to do >>>>> ldapsearch from command line? Just to make sure there is nothing wrong on >>>>> the OpenLDAP side? >>>>> >>>>> Thanks >>>>> >>>>> Bosco >>>>> >>>>> >>>>> From: Aneela Saleem <ane...@platalytics.com> >>>>> Reply-To: <user@ranger.incubator.apache.org> >>>>> Date: Thursday, October 1, 2015 at 11:55 PM >>>>> >>>>> To: <user@ranger.incubator.apache.org> >>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>>> >>>>> I also checked it on another machine. Same issue is there >>>>> >>>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com >>>>> > wrote: >>>>> >>>>>> I guess no JDK changes. And i re-checked certificate infact generated >>>>>> a new one. Still same issue. >>>>>> >>>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Aneela, >>>>>>> Please check whether the certificate has expired. >>>>>>> Dilli >>>>>>> >>>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> >>>>>>> wrote: >>>>>>> >>>>>>>> Any other changes you can think of? JDK changes, etcs? >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> Bosco >>>>>>>> >>>>>>>> >>>>>>>> From: Aneela Saleem <ane...@platalytics.com> >>>>>>>> Reply-To: <user@ranger.incubator.apache.org> >>>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>>>>>> To: <user@ranger.incubator.apache.org> >>>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>>>>>> >>>>>>>> It was working fine one month ago. But now the same issue is >>>>>>>> occurred. >>>>>>>> >>>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem < >>>>>>>> ane...@platalytics.com> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> I followed all the following steps i.e., >>>>>>>>> >>>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>>> >>>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>>> (where cert.pem has the the LDAPS cert) >>>>>>>>> >>>>>>>>> Add java option >>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>>>>>>> /ranger-usersync/userSyncCAcerts >>>>>>>>> To >>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>>>>>> >>>>>>>>> Where it invokes java command like the following >>>>>>>>> >>>>>>>>> nohup java >>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>>> . . . >>>>>>>>> >>>>>>>>> >>>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>>>>>>> validation issues. Following are the logs >>>>>>>>> >>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>>>>> Starting User Sync Service! >>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>>>>> Enabling Unix Auth Service! >>>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>>>> initializing sink: >>>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to >>>>>>>>> load native-hadoop library for your platform... using builtin-java >>>>>>>>> classes >>>>>>>>> where applicable >>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>>> Enabling Protocol: [SSLv2Hello] >>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>>> Enabling Protocol: [TLSv1] >>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>>> Enabling Protocol: [TLSv1.1] >>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>>> Enabling Protocol: [TLSv1.2] >>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder >>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder created >>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>>>> initializing source: >>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>>>> Begin: initial load of user/group from source==>sink >>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder >>>>>>>>> [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started >>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder >>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization started >>>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - >>>>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000 >>>>>>>>> milliseconds. Error details: >>>>>>>>> javax.naming.CommunicationException: simple bind failed: >>>>>>>>> platalytics.com:636 [Root exception is >>>>>>>>> javax.net.ssl.SSLHandshakeException: >>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>>>> find >>>>>>>>> valid certification path to requested target] >>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>>>>>>> at >>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>>>>>>> at >>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>>>>>>> at >>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>>>>>>>> at >>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>>>>>>>> at >>>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>>>>>>> at >>>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>>>>>>> at >>>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>>>>>>> at >>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>>>>>>>> at >>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>>>>>>>> at >>>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>>>> find >>>>>>>>> valid certification path to requested target >>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>>>>>>> at >>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>>>>>>>> at >>>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>>>>>>> at >>>>>>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>>>>>>> at >>>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>>>>>>>> at >>>>>>>>> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >>>>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >>>>>>>>> at >>>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >>>>>>>>> at >>>>>>>>> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >>>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >>>>>>>>> ... 14 more >>>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>>>>>>> building failed: >>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>>>> find >>>>>>>>> valid certification path to requested target >>>>>>>>> at >>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>>>>>>> at >>>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>>>>>> at >>>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>>>>>>>> at >>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>>>>>>>> at >>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>>>>>>>> at >>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>>>>>>>> ... 27 more >>>>>>>>> Caused by: >>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>>>> find >>>>>>>>> valid certification path to requested target >>>>>>>>> at >>>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>>>>>>>> at >>>>>>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>>>>>>> at >>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>>>>>>> ... 33 more >>>>>>>>> >>>>>>>>> And following is the output of nohup command: >>>>>>>>> >>>>>>>>> Host key verification failed. >>>>>>>>> >>>>>>>>> Can someone please help me figure out the issue? >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >