How To Install LDAP SSL Certificate into Hipchat Server Keystore

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

This is for an outdated version of Hipchat Server

 This article applies to a version of Hipchat Server which will be deprecated soon. After that period the version will no longer be supported.

When will my version be deprecated?

The following versions have been deprecated:

  • Hipchat Server 1.3 (EOL Date: Aug 17, 2017)
  • Hipchat Server 2.0 (EOL Date: Jun 17, 2018)
  • Hipchat Server 2.1 (EOL Date: Dec 8, 2018)

The following version will be deprecated soon:

  • Hipchat Server 2.2 (EOL Date: May 30, 2019)

You can read more about Atlassian's End of Life policy here.

You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes.

Purpose

Many organizations require the use of SSL to connect to LDAP directories. This means that the LDAP server's SSL certificate must be imported into the Hipchat Server's Crowd keystore. Otherwise,  the following error may be observed when running a directory connection test:

Test basic connection : Failed 
ldap.atlassian.net:636; nested exception is javax.naming.CommunicationException: ldap.atlassian.net:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Solution

The following steps will install the LDAP SSL certificate into Hipchat Server's Crowd keystore:

  1. Transfer the SSL certificate file from the LDAP server to the Hipchat Server.
  2. Log in to the Hipchat Server's command-line interface as the admin user. 

  3. Run the following command to change to Crowd's Java directory: 

    cd /usr/lib/jvm/java-8-openjdk-amd64

    (info) Prior to Hipchat Server v2.0.7, Crowd's Java directory was located at /usr/lib/jvm/java-7-openjdk-amd64

     

  4. Gain root access by executing the following command:

    sudo dont-blame-hipchat
  5. As root, use the keytool command to import the certificate into the keystore.  In the below example, the certificate file (named the-certificate.crt) was transferred to the /home/admin directory on the Hipchat Server.  Substitute filenames and paths accordingly:

    keytool -import -keystore ./jre/lib/security/cacerts -alias LDAP -file /home/admin/the-certificate.crt 
  6. Keytool will prompt for the keystore password, by default the password is changeit.   
  7. Type yes to trust the certificate.
  8. Verify that your certificate was import into the keystore: 

    keytool -list -v -keystore ./jre/lib/security/cacerts -alias LDAP
  9. The Crowd service must be restarted for the certificate changes to take effect.  The following command, run as the root user, will restart the crowd service:

    /etc/init.d/crowd restart

Last modified on Jan 19, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.