How To Install LDAP SSL Certificate into Hipchat Server Keystore
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
This is for an outdated version of Hipchat Server
This article applies to a version of Hipchat Server which will be deprecated soon. After that period the version will no longer be supported.
You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes.
Purpose
Many organizations require the use of SSL to connect to LDAP directories. This means that the LDAP server's SSL certificate must be imported into the Hipchat Server's Crowd keystore. Otherwise, the following error may be observed when running a directory connection test:
Test basic connection : Failed
ldap.atlassian.net:636; nested exception is javax.naming.CommunicationException: ldap.atlassian.net:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Solution
The following steps will install the LDAP SSL certificate into Hipchat Server's Crowd keystore:
- Transfer the SSL certificate file from the LDAP server to the Hipchat Server.
Log in to the Hipchat Server's command-line interface as the admin user.
Run the following command to change to Crowd's Java directory:
cd /usr/lib/jvm/java-8-openjdk-amd64
Prior to Hipchat Server v2.0.7, Crowd's Java directory was located at /usr/lib/jvm/java-7-openjdk-amd64
Gain root access by executing the following command:
sudo dont-blame-hipchat
As root, use the keytool command to import the certificate into the keystore. In the below example, the certificate file (named the-certificate.crt) was transferred to the /home/admin directory on the Hipchat Server. Substitute filenames and paths accordingly:
keytool -import -keystore ./jre/lib/security/cacerts -alias LDAP -file /home/admin/the-certificate.crt
- Keytool will prompt for the keystore password, by default the password is changeit.
- Type yes to trust the certificate.
Verify that your certificate was import into the keystore:
keytool -list -v -keystore ./jre/lib/security/cacerts -alias LDAP
The Crowd service must be restarted for the certificate changes to take effect. The following command, run as the root user, will restart the crowd service:
/etc/init.d/crowd restart