Enabling LDAP plug-ins for SSL connections post-upgrade
This topic explains how to enable LDAP plug-ins for Secure Sockets Layer (SSL) connections in configured networks after an upgrade. For information about adding a certificate for SSL communication after a new installation, see Enabling LDAP plug-ins for SSL connections post-installation.
Migrating an LDAP certificate to the certificate database after an upgrade
To enable LDAP plug-ins for SSL connections in configured networks after an upgrade, you must add an LDAP certificate to the certificate database for SSL communication. LDAPJ plug-ins support SSL communication to the LDAP server. When you configure LDAP plug-ins that use SSL connections, you specify the path and file name of the Java keystore that contains the certificate. LDAPJ then uses the Java KeyStore (JKS) type to store the certificates.
Pre-8.1 releases use the NSS based keystore. For more information, see in the BMC Remedy AR System documentation.
In an upgrade scenario, if your AREA or ARDBC LDAP plug-ins are already configured to use SSL, you must migrate those certificates to the Java-based keystore.
To migrate an existing certificate for SSL communication after an upgrade
- To migrate the old certificates to the new Java-based keystore, perform the following steps:
- Locate the certificate path in the Certificate Database field in the AREA LDAP Configuration form or the ARDBC LDAP Configuration form.
List all of the certificates from the configured certificate database by using following command:
certutil -L -d <certificatePath>
certificatePathis the parent directory that contains the certificate database.
For example, using this command can result in the following:
- Select the certificate alias name that you want to use to export to the file.
Export the certificate to a file:
To export a certificate database file that exists in the current directory to the my_x509_cert file, type the following command:
certutil -L -a -n my_x509_cert -d . > C:\ldapCert\my_x509_cert.rfc
To export a certificate database file available in any location (which is not the current directory) to the my_x509_cert file, specify the -d parameter with the complete path of the certificate database files, as follows:
certutil -L -a -n my_x509_cert -d C:\ldapCert > C:\ldapCert\my_x509_cert.rfc
If the path includes spaces, enclose the path in double quotes; for example,
-d "C:\Ldap Certs"
Import the certificate by using the following command:
keytool -import -noprompt -trustcacerts -keystore C:\certdb\ldaptruststore.jks -storepass mypassword -alias my_x509_cert -file my_x509_cert.rfc
If the keystore does not already exist, this command creates a new keystore.
- Configure the full path and file name of the certificate keystore in the AREA LDAP Configuration form or ARDBC LDAP Configuration form.
- Restart the plug-in server to use the updated configuration.