This documentation applies to the 8.1 version of Remedy Action Request System, which is in "End of Version Support."

To view the latest version, select the version from the Product version menu.

Enabling LDAP plug-ins for SSL connections post-installation

This topic explains how to enable LDAP plug-ins for SSL connections in configured networks after a new installation. For information on adding a certificate for SSL communication after a new installation, see Enabling LDAP plug-ins for SSL connections post-upgrade.

Adding an LDAP certificate to the certificate database

To enable LDAP plug-ins for SSL connections in configured networks after a new installation, you must add a LDAP certificate to the certificate database for SSL communication. LDAPJ plug-ins support SSL communication to the LDAP server. When you configure LDAP plug-ins that use SSL connections, you specify the path and file name of the Java keystore that contains the certificate. LDAPJ then uses the Java KeyStore (JKS) type to store the certificates.

Note

Pre-8.1 releases use the NSS based keystore. For more information, see Enabling LDAP plug-ins to establish SSL connections with LDAP servers.

To add a certificate for SSL communication after a new installation

  1. Download a digital certificate from the LDAP server.
    For more information, see the documentation for your LDAP server. For example, see the vendor's documentation on how to download a certificate for an Active Directory server.
  2. Create a keystore.
    To create and maintain the digital certificate data stores, the Java installation provides an out-of-the-box utility called keytool.
  3. Import the downloaded certificate into the keystore by using the following command:

    keytool -import -noprompt -trustcacerts -keystore <keystorePath> -storepass <password> -alias <aliasName> -file <certificatePath>

    Where:
    -trustcacerts — Stores the certificate as a trusted certificate in the keystore
    -keystore — The full path of the keystore file (for example C:\certdb\ldaptruststore.jks)

    Note

    If the keystore does not already exist, the command creates a new keystore.

    -storepass — Stores the password. Keystore password must contain at least 6 characters.
    -alias — The alias, or nickname, of the certificate

    -file — The file path of the digital certificate (for example C:\ldapCert\cert6b.rfc)

    For example, the command to import the downloaded certificate might look as follows:

    keytool -import -noprompt -trustcacerts -keystore C:\certdb\ldaptruststore.jks -storepass bmcAdmin -alias bmcAlias -file C:\ldapCert\cert6b.rfc
  4. List any available certificates in the keystore by using the following command:

    keytool -list -keystore C:\certdb\ldaptruststore.jks -storepass bmcAdmin


    Where:
    -list — Lists the available certificates in the store

    For example, using this command can result in the following:
    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 1 entry
    cerqa6b, Aug 2, 2012, trustedCertEntry,
    Certificate fingerprint (MD5): 64:01:F3:E6:DD:A0:33:CA:E2:4A:92:50:10:51:59:70

  5. Configure the full path and file name of the certificate keystore in the Certificate Database field in the AREA LDAP Configuration and ARDBC LDAP Configuration forms.

    Certificate Database field in the AREA LDAP Configuration form

    This configures the keystore in these forms.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Comments

  1. Miguel Rodriguez ferreria

    But, where is store password configured in the AREA LDAP plugin configuration form? How can AR open the JKS without it?

    Mar 03, 2014 04:57
  2. Miguel Rodriguez ferreria

    "admin" is not a 6 character password, is it?

    Mar 03, 2014 05:06
  3. Vinay Gaonkar

    Password is not needed while quering certificates. When retrieving information programatically from the keystore, the password is optional. Therefore AR does not need the keystore password to open it.

    Mar 03, 2014 05:57
  4. Mohammad nayeem Shaik

    Do we need to import the certificate to keystore file in application server and mid tier server both? Also do we need remedy restart for the changes to take effect?

    Aug 17, 2016 04:11
    1. Anagha Deshpande

      Hello Mohammad,

      I will discuss this with SME and will write back to you.

       

      Regards,

      Anagha 

      Aug 21, 2016 11:57
      1. Anagha Deshpande

         Hello Mohammad,

        You need to import keystore file only for the server. You need to restart the server to reflect the changes.

        Regards,

        Anagha

         

        Aug 23, 2016 04:10