How To Install LDAP SSL Certificate into Hipchat Server Keystore
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
This is for an outdated version of Hipchat Server
This article applies to a version of Hipchat Server which will be deprecated soon. After that period the version will no longer be supported.
The following versions have been deprecated:
- Hipchat Server 1.3 (EOL Date: Aug 17, 2017)
- Hipchat Server 2.0 (EOL Date: Jun 17, 2018)
- Hipchat Server 2.1 (EOL Date: Dec 8, 2018)
The following version will be deprecated soon:
- Hipchat Server 2.2 (EOL Date: May 30, 2019)
You can read more about Atlassian's End of Life policy here.
You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes.
Many organizations require the use of SSL to connect to LDAP directories. This means that the LDAP server's SSL certificate must be imported into the Hipchat Server's Crowd keystore. Otherwise, the following error may be observed when running a directory connection test:
Test basic connection : Failed ldap.atlassian.net:636; nested exception is javax.naming.CommunicationException: ldap.atlassian.net:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
The following steps will install the LDAP SSL certificate into Hipchat Server's Crowd keystore:
- Transfer the SSL certificate file from the LDAP server to the Hipchat Server.
Log in to the Hipchat Server's command-line interface as the admin user.
Run the following command to change to Crowd's Java directory:
Prior to Hipchat Server v2.0.7, Crowd's Java directory was located at /usr/lib/jvm/java-7-openjdk-amd64
Gain root access by executing the following command:
As root, use the keytool command to import the certificate into the keystore. In the below example, the certificate file (named the-certificate.crt) was transferred to the /home/admin directory on the Hipchat Server. Substitute filenames and paths accordingly:
keytool -import -keystore ./jre/lib/security/cacerts -alias LDAP -file /home/admin/the-certificate.crt
- Keytool will prompt for the keystore password, by default the password is changeit.
- Type yes to trust the certificate.
Verify that your certificate was import into the keystore:
keytool -list -v -keystore ./jre/lib/security/cacerts -alias LDAP
The Crowd service must be restarted for the certificate changes to take effect. The following command, run as the root user, will restart the crowd service: