LDAPS Certificate Expired Errors

, ,

LDAPS requires multiple certificates, and all must be valid and current for authentication to work in Lawson.  If you are trying to log into Lawson after implementing LDAPS and Lawson is behaving like the user doesn’t exist or the password is invalid, check the LAWDIR/system/security_authen.log.  A certificate issue will be noted by verbiage such as:

Tue Nov 10 16:45:55.359 PST 2020 – default–844051996: Error encountered while getting users DN. Please see logs for details[858vk9nl1gd6d40vdn8r41qhl3]Could Not Bind With privileged identity. User [lawson]simple bind failed: dc.company.com:3269
Stack Trace :
javax.naming.CommunicationException: simple bind failed: 
dc.company.com:3269 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Fri Nov 06 11:33:36 PST 2020; internal cause is:
java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 06 11:33:36 PST 2020]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:231)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2753)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:329)

This message could indicate that your AD LDS certificate is expired, so you need to check that cert on the server, as well as in WebSphere.  However, it could also mean that the certificate on the domain controller is expired, so you’ll need to check that as well.