Does SCM work with LDAPS? (NETIQKB70483)

  • 7770483
  • 09-Jul-2007
  • 29-Sep-2010


NetiqSecure Configuration Manager 5.8.1

NetIQ Secure Configuration Manager 5.8

NetIQ Secure Configuraiton Manager 5.7

NetIQ Secure Configuration Manager 5.6



Does SCM work with LDAPS?
Error when trying to establish a Secure LDAP connection - failed due to an unknown server certificate.



1) First you need to have a PKI running in your environment. To setup a Windows 2003-based PKI you will find all the details here :

This step includes issuing a certificate for your Secure LDAP service and exporting your CA certificate in, for instance, a DER encoded binary X.509 format (.cer) for step2.

2) On the SCM Core Services machine, add your CA root certificate (ex : rootca.cer file) in the SCM jre ?cacerts? keystore (located in <SCM Installation Folder>\Core Services\jre\lib\security\). You can use the following command or a any graphical GUI-based keytools (such as :

keytool -import -trustcacerts -alias rootca -file rootca.cer -keystore ?<SCM Installation Folder>\Core Services\jre\lib\security\cacerts?

The default password of the cacerts keystore is ?changeit?.

3) A reboot may be necessary in order for this to take affect. Specify ?ldaps://<ldap server>:636? in the LDAP Server URL, the other fields are the same as for classic LDAP.

Now you can securely authenticate your SCM users with your AD.


Enabling Secure LDAP requires more configuration than the standard LDAP authentication.  To resolve issues follow the instructions below to enable Secure Configuration Manager to work with LDAPS.

Additional Information

Formerly known as NETIQKB70483

For instructions on how to setup standard External Authentication see NetIQKB27866.