Environment
NetiqSecure Configuration Manager 5.8.1
NetIQ Secure Configuration Manager 5.8
NetIQ Secure Configuraiton Manager 5.7
NetIQ Secure Configuration Manager 5.6
Situation
Error when trying to establish a Secure LDAP connection - failed due to an unknown server certificate.
Resolution
Solution
1) First you need to have a PKI running in your environment. To setup a Windows 2003-based PKI you will find all the details here : http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
This step includes issuing a certificate for your Secure LDAP service and exporting your CA certificate in, for instance, a DER encoded binary X.509 format (.cer) for step2.
2) On the SCM Core Services machine, add your CA root certificate (ex : rootca.cer file) in the SCM jre ?cacerts? keystore (located in <SCM Installation Folder>\Core Services\jre\lib\security\). You can use the following command or a any graphical GUI-based keytools (such as http://sourceforge.net/projects/portecle) :
keytool -import -trustcacerts -alias rootca -file rootca.cer -keystore ?<SCM Installation Folder>\Core Services\jre\lib\security\cacerts?
The default password of the cacerts keystore is ?changeit?.
3) A reboot may be necessary in order for this to take affect. Specify ?ldaps://<ldap server>:636? in the LDAP Server URL, the other fields are the same as for classic LDAP.
Now you can securely authenticate your SCM users with your AD.
Cause
Additional Information
For instructions on how to setup standard External Authentication see NetIQKB27866.