Grouper Users - Open Discussion List

["David Mak" <>]

Greetings.

In need of some advice on configuring Grouper 4.1.6 running in a Docker
environment with an External systems configuration to connect to an Active
Directory server.

The server is configured with a self signed SSL certificate/CA cert and is
extracted via the following command:
 openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null </
dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Configured in our Dockerfile with something along the lines of:

RUN openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null
</dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/
AD_Server.crt
RUN keytool -importcert -trustcacerts -cacerts -noprompt -storepass changeit -
file /tmp/AD_Server.crt -alias AD_Server

Connecting to the resultant container, with a bash shell, shows that the
certificate chain was successfully added as verified with "keytool list" but
attempts to test the connection from the Grouper UI results in:

Caused by:
[org.ldaptive.OperationException@140546312::resultCode=PROTOCOL_ERROR,
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1,
message=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed],
providerException=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed]]

And indeed, a TCPDump on the host running docker shows the connection is
closed due to a SSL handshake issue:
4       0.010043        MYHOSTIP        ADHOSTIP        TLSv1.2 560     Client
Hello
5       0.028978        ADHOSTIP        MYHOSTIP                TLSv1.2 4381
Server Hello, Certificate, Server Key Exchange, Certificate Request, Server
Hello Done
7       0.030552        MYHOSTIP                ADHOSTIP        TLSv1.2 73
Alert (Level: Fatal, Description: Certificate Unknown)
8       0.030686        MYHOSTIP                ADHOSTIP        TCP     66
60236 → 636 [FIN, ACK] Seq=502 Ack=4316 Win=64128 Len=0 TSval=3083478926
TSecr=2697297744

Questions:
1) Is it the cacerts file in the JDK that I should be installing the certs
into? I even tried manually separating the certs into two files (openssl
returns two) and using two separate Docker COPY commands to put them into
separate files, and importing them with unique aliases using two different RUN
keytool commands, but get the same tcpdump behavior.
2) Is there documentation on connecting Grouper external systems with "custom"
configurations such as self signed certs, etc?

Thanks in advance for any advice.