Please make sure the network connection between HPDM Server to HPDM Console & AD Server are reachable.

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**

Committing as we too ran into this same exact issues without a resolution. 

Our issue occurred after upgrading our environment from HPDM 4.7 SP11 to HPDM 5.0. The only difference from @Dbennettdenver post is that we only get the last two WARN Console lines in our hpdm-console log. Logging is set to DEBUG.

Network connectivity has been confirmed.

Through a different third-party LDAP application we noticed with a Wireshark capture that there was a user certificate request made by the server. Thinking that this might be the certificate issue we went through the process of obtaining and getting a user certificate for the service account we use for the LDAP connection/HPDM Server service. However, this didn't correct the problem and appeared more third-party specific.

I can confirm the "10% it works, 90% it doesn't" previous description. During testing we have set encryption to None, Applied changes, and restarted services. Tests will work. Then we will configure TLS on 389, Apply changes, and restart services. Then sometimes tests will work but after the second successful test all tests after that will timeout.

One time we got the following error message:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find validate certificati

A little research pointed this issue at the JVM cacerts file as not having the CA cert that you use to authenticate through LDAP. We noticed that the JVM directory had changed from being in the HP Device Manager directory to now being in two locations. One in the Console directory and another in the Server directory. Using keytool we listed out the certs in both cacerts files and did not notice our CA cert. We imported our CA cert into both cacerts files, restarted services, but still continued to have this issue. Only two times out of all of our failed tests did we get the PKIX error. None since importing our cert.

We have been forced to keep the encryption to None until a resolution can be found.

In the Admin Guide for 5.0 page 188 talks about the Get Key From Host.  Is this the Domain Controller's key or a key specific for the hp device manager?

Hi Zactime,

It is a certificate retrieved from LDAP Server to enhance the communication between HPDM and LDAP Server.

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**

Thanks for the response JasonShi.  I was able to import the key with the SSL option and the port 636.  The import option did not work when I choose TLS with port 636.

All,

HP's R&D has identified a security negotiation issue that is causing the TLS LDAP connection problems.

We received a patch from HP and confirmed that it addressed the issue.

This patch will be available in the HPDM 5.0 SP1 release. Which was originally pulled after release, but will eventually be available. In the mean time, you have the option of reaching out to your HP rep and asking for the patch.