Does SCM work with LDAPS? (NETIQKB70483)

  • 7770483
  • 09-Jul-2007
  • 29-Sep-2010

Environment

NetiqSecure Configuration Manager 5.8.1

NetIQ Secure Configuration Manager 5.8

NetIQ Secure Configuraiton Manager 5.7

NetIQ Secure Configuration Manager 5.6

 

Situation

Does SCM work with LDAPS?
Error when trying to establish a Secure LDAP connection - failed due to an unknown server certificate.

Resolution


Solution

1) First you need to have a PKI running in your environment. To setup a Windows 2003-based PKI you will find all the details here : http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

This step includes issuing a certificate for your Secure LDAP service and exporting your CA certificate in, for instance, a DER encoded binary X.509 format (.cer) for step2.

2) On the SCM Core Services machine, add your CA root certificate (ex : rootca.cer file) in the SCM jre ?cacerts? keystore (located in <SCM Installation Folder>\Core Services\jre\lib\security\). You can use the following command or a any graphical GUI-based keytools (such as http://sourceforge.net/projects/portecle) :

keytool -import -trustcacerts -alias rootca -file rootca.cer -keystore ?<SCM Installation Folder>\Core Services\jre\lib\security\cacerts?

The default password of the cacerts keystore is ?changeit?.

3) A reboot may be necessary in order for this to take affect. Specify ?ldaps://<ldap server>:636? in the LDAP Server URL, the other fields are the same as for classic LDAP.

Now you can securely authenticate your SCM users with your AD.

Cause

Enabling Secure LDAP requires more configuration than the standard LDAP authentication.  To resolve issues follow the instructions below to enable Secure Configuration Manager to work with LDAPS.

Additional Information

Formerly known as NETIQKB70483

For instructions on how to setup standard External Authentication see NetIQKB27866.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.