Enabling LDAP plug-ins for SSL connections post-installation
This topic explains how to enable LDAP plug-ins for SSL connections in configured networks after a new installation. For information on adding a certificate for SSL communication after a new installation, see Enabling LDAP plug-ins for SSL connections postupgrade.
Adding an LDAP certificate to the certificate database
To enable LDAP plug-ins for SSL connections in configured networks after a new installation, you must add a LDAP certificate to the certificate database for SSL communication. LDAPJ plug-ins support SSL communication to the LDAP server. When you configure LDAP plug-ins that use SSL connections, you specify the path and file name of the Java keystore that contains the certificate. LDAPJ then uses the Java KeyStore (JKS) type to store the certificates.
Pre-8.1 releases use the NSS based keystore. For more information, see in BMC Remedy AR System documentation.
To add a certificate for SSL communication after a new installation
- Download a digital certificate from the LDAP server.
For more information, see the documentation for your LDAP server. For example, see the vendor's documentation on how to download a certificate for an Active Directory server.
- Create a keystore.
To create and maintain the digital certificate data stores, the Java installation provides an out-of-the-box utility called keytool.
Import the downloaded certificate into the keystore by using the following command:
keytool -import -noprompt -trustcacerts -keystore <keystorePath> -storepass <password> -alias <aliasName> -file <certificatePath>
-trustcacerts— Stores the certificate as a trusted certificate in the keystore
-keystore— The full path of the keystore file (for example
If the keystore does not already exist, the command creates a new keystore.
-storepass— Stores the password. Keystore password must contain at least 6 characters.
-alias— The alias, or nickname, of the certificate
-file— The file path of the digital certificate (for example
For example, the command to import the downloaded certificate might look as follows:
keytool -import -noprompt -trustcacerts -keystore C:\certdb\ldaptruststore.jks -storepass bmcAdmin -alias bmcAlias -file C:\ldapCert\cert6b.rfc
List any available certificates in the keystore by using the following command:
keytool -list -keystore C:\certdb\ldaptruststore.jks -storepass bmcAdmin
-list— Lists the available certificates in the store
For example, using this command can result in the following:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
cerqa6b, Aug 2, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 64:01:F3:E6:DD:A0:33:CA:E2:4A:92:50:10:51:59:70
- Configure the full path and file name of the certificate keystore in the Certificate Database field in the AREA LDAP Configuration and ARDBC LDAP Configuration forms.
Certificate Database field in the AREA LDAP Configuration form
This configures the keystore in these forms.