Unable to login to SSPR after Certificate Expired

  • 7014955
  • 23-Apr-2014
  • 19-Jan-2018

Environment

Self Service Password Reset
SSPR 3.2
SSPR 3.3
SSPR 4.x


Situation

Unable to authenticate to SSPR after Certificate Expired
Error 5017:  ERROR_DIRECTORY_UNAVAILABLE... unable to find valid certification path to requested target 
How to update LDAP Cert for SSPR

Resolution

Determine which certificate has expired.  If the LDAP certificate has expired, continue with this document (this is most likely the case with a 5017 error).  If the Tomcat (https) certificate has expired, see TID 7014508. (For more detail on SSPR 4.x certificates see TID 7018545.  For an explanation of the certificates involved with SSPR 3.x, see the additional information section of TID 7014508 .)


Replace the expired certificate in SSPR.

1.  Generate or obtain a new certificate. (It is likely the new cert has already been created - which may be the cause of the 5017 error.)

2.  Clear the old certificate using SSPR Configuration Editor.

In SSPR 4.x select  LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Certificates Click "Clear." 

 In SSPR 3.3, select   Profiles --> LDAP Directory Profiles --> LDAP Certificates.  Click "Clear." 

3.  Import the new certificate using SSPR Configuration Editor.  

In SSPR 4.x select  LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Certificates Click "Import from LDAP Server."

In SSPR 3.3 select   Profiles --> LDAP Directory Profiles --> LDAP Certificates.  Click "Import from LDAP Server."

NOTE:  Configuration Editor will not be available if the configuration has been locked.  Follow the steps in TID 7014954   to unlock the configuration and make Config Manager available again.

Additional Information

 In SSPR 3.x versions prior to 3.2, importing a new certificate was done in the actions menu.  (Actions --> Import Certificate).  Importing certificates was moved in SSPR 3.2 to accommodate multiple places from which certs can be imported.  Beginning with SSPR 3.2 separate certificates can be imported for each defined LDAP profile.


If for some reason it is not possible to import the new certificate through SSPR Configuration Manager,  the new certificate can also be imoprted into the  java keystore with the following command:
<JAVA_HOME>\jre\bin keytool -importcert -alias <alias>  -file <filepath> -keystore ..\lib\security\cacerts -storepass <password>