How to use SSL LDAP to sync an external VPC respository

  • 7011953
  • 14-Mar-2013
  • 20-Mar-2013

Environment

NetIQ VigilEnt Policy Center 5.6 SP5

Situation

When trying to synchronize an external VPC repository over Secure Socket Layer connection to an LDAP server, no data is synchronized. The VPCSyncDebug Log reports errors, unable to access the socket.

Resolution

If you are synchronizing an external repository with VPC server using an SSL LDAP configuration, follow the instructions below :

1. Create a Certificate authority (CA) in the Active Directory that will be synchronized.

2. Once the CA is created, export it.

- Open command prompt with administrator permissions, set the path were the CA will be saved. (e.g. C:\Users\Administrator\Desktop\test>)

- Execute this command: certutil -ca.cert client.crt

- Verify that the folder “test†will contain a CA named “client.crtâ€

3. Copy the "client.crt" CA.

4. Go to VPC server and paste the CA “client.crtâ€. (e.g. C:\Users\Administrator\Desktop\test\clinet.crt)

5. To import the CA open a command prompt and Execute the following command:

C:\Users\Administrator\Desktop\test>"%JAVA_HOME%/bin/keytool" -import -file client.crt –keystore "%JAVA_HOME%/lib/security/cacerts" -alias adserv

NOTE: JAVA_HOME is a environmental variable that was created in System Properties>Advanced>Environmental Variables>System Variables

JAVA_HOME = C:\Program Files (x86)\Java\jre6 (when you create this variable please verify the path of java installation)

6. After execute the step 4, a password will be required

- Enter keystore password:

- By default the password is "changeit" (without quotation marks)

- Set the password and press enter.

7. A message indication "Trust this certificate? [no]:"

8. Set yes and press enter

9. The following message should be displayed:

- Certificate was added to keystore

10. Re-start VPC Service

11. Open VPC Administration Site

12. Go to Repository Tab and click add repository button to synchronize the External repository that have the same CA that we import to the VPC Server Machine.

13. In LDAP configuration area set the fields “Use SSL†and “LDAP URL†similar to following example:

- Use SSL: Check

- LDAP URL: ldaps://IP or name:636 (e.g. ldaps://10.31.176.69:636)

14. Synchronize the external repository.

The External repository should be successfully sync using SSL LDAP configuration.

Additional Information

- If the Active Directory machine already have a CA is not necessary to create a new one. You can start in step 4 but instead of use “client.crt†as the example does, please use the CA that the Active Directory has.