This documentation applies to the 8.1 version of Remedy ITSM Deployment, which is in "End of Version Support." You will not be able to leave comments.

To view the latest version, select the version from the Product version menu.

Enabling LDAP plug-ins for SSL connections post-upgrade

This topic explains how to enable LDAP plug-ins for Secure Sockets Layer (SSL) connections in configured networks after an upgrade. For information about adding a certificate for SSL communication after a new installation, see Enabling LDAP plug-ins for SSL connections post-installation.

Migrating an LDAP certificate to the certificate database after an upgrade

To enable LDAP plug-ins for SSL connections in configured networks after an upgrade, you must add an LDAP certificate to the certificate database for SSL communication. LDAPJ plug-ins support SSL communication to the LDAP server. When you configure LDAP plug-ins that use SSL connections, you specify the path and file name of the Java keystore that contains the certificate. LDAPJ then uses the Java KeyStore (JKS) type to store the certificates.

Note

 Pre-8.1 releases use the NSS based keystore. For more information, see Enabling LDAP plug-ins to establish SSL connections with LDAP servers  in the BMC Remedy AR System documentation.

In an upgrade scenario, if your AREA or ARDBC LDAP plug-ins are already configured to use SSL, you must migrate those certificates to the Java-based keystore.

To migrate an existing certificate for SSL communication after an upgrade

  1. To migrate the old certificates to the new Java-based keystore, perform the following steps:
    1. Locate the certificate path in the Certificate Database field in the AREA LDAP Configuration form or the ARDBC LDAP Configuration form.
    2. List all of the certificates from the configured certificate database by using following command:


      certutil -L -d <certificatePath>

      where certificatePath is the parent directory that contains the certificate database. 

      For example, using this command can result in the following:
      my_x509_cert CT,P,P
      cert_ibmc_c8s25bs CT,P,P

    3. Select the certificate alias name that you want to use to export to the file.
    4. Export the certificate to a file:

      • To export a certificate database file that exists in the current directory to the my_x509_cert file, type the following command:

        certutil -L -a -n my_x509_cert -d . > C:\ldapCert\my_x509_cert.rfc
      • To export a certificate database file available in any location (which is not the current directory) to the my_x509_cert file, specify the -d parameter with the complete path of the certificate database files, as follows:

        certutil -L -a -n my_x509_cert -d C:\ldapCert > C:\ldapCert\my_x509_cert.rfc
      • If the path includes spaces, enclose the path in double quotes; for example, -d "C:\Ldap Certs"

  2. Import the certificate by using the following command:

    keytool -import -noprompt -trustcacerts -keystore C:\certdb\ldaptruststore.jks -storepass mypassword
    -alias my_x509_cert -file my_x509_cert.rfc

    Note

    If the keystore does not already exist, this command creates a new keystore. 

  3. Configure the full path and file name of the certificate keystore in the AREA LDAP Configuration form or ARDBC LDAP Configuration form.
  4. Restart the plug-in server to use the updated configuration.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Comments