Unable to Connect to AD services
Unable to Connect to AD services due to PKIX Path Building Failure when using multiple AD servers behind a Load Balancer.
For the XTAM server to communicate with an AD global catalog (GC), the XTAM keystore needs to contain a security certificate from this global catalog to establish a trusted connection. During setup of the integration with AD (whether using GUI or the command ADConnect) XTAM automatically imports this certificate from your AD GC server into its XTAM keystore so that integration with AD is performed smoothly. However, in case of multiple GC servers operating behind a load balancer, it is not enough for XTAM to include a certificate from a single GC server obtained during initial connection setup because every time XTAM needs to communicate with the global catalog, the GC load balancer can route the connection to different GC server set up with a different certificate.
Since XTAM does not know how to access each GC server hidden behind the load balancer, the certificates from each GC server should be imported manually into the XTAM keystore. This way, after the integration XTAM will trust each GC server no matter which one will be used at any given time by the load balancer.
Several ways to move forward.
First, you need to obtain certificates from GC servers and then these certificates should be imported to the XTAM keystore ($XTAM_HOME/jre/lib/security/cacerts). Below is the link with the procedure how to import certificates into XTAM’s keystore.
Please note that the article contains several sections about how to convert your cert to DER format if it is not in der format. You need to run these commands from the $XTAM_HOME folder to keep all the paths like they are in the article’s examples.
Alternatively, if you can access each global catalog server directly around the load balancer, you can establish connections with each global catalog server one-by-one using ADConnect. During every connection XTAM will automatically import the certificate from each GC server into its own keystore. At the end, you can re-establish the connection to the GC load balancer. At this time, XTAM will have all certificates loaded into the keystore and will be able to trust any of the connections no matter which one is used.
For both alternative ways to connect it is important to import certificates from all GC servers because GC load balancer might route LDAPS traffic from XTAM to any one of them.