Error: Invalid spaceKey on retrieving a related space config.

Enabling LDAP plug-ins for SSL connections post-installation

This topic explains how to enable LDAP plug-ins for SSL connections in configured networks after a new installation. For information on adding a certificate for SSL communication after a new installation, see Enabling LDAP plug-ins for SSL connections postupgrade.

Adding an LDAP certificate to the certificate database

To enable LDAP plug-ins for SSL connections in configured networks after a new installation, you must add a LDAP certificate to the certificate database for SSL communication. LDAPJ plug-ins support SSL communication to the LDAP server. When you configure LDAP plug-ins that use SSL connections, you specify the path and file name of the Java keystore that contains the certificate. LDAPJ then uses the Java KeyStore (JKS) type to store the certificates.

Note

Pre-8.1 releases use the NSS based keystore. For more information, see  Enabling LDAP plug-ins to establish SSL connections with LDAP servers in BMC Remedy AR System documentation.

To add a certificate for SSL communication after a new installation

    1. Download a digital certificate from the LDAP server.
      For more information, see the documentation for your LDAP server. For example, see the vendor's documentation on how to download a certificate for an Active Directory server.
    2. Create a keystore.
      To create and maintain the digital certificate data stores, the Java installation provides an out-of-the-box utility called keytool.
    3. Import the downloaded certificate into the keystore by using the following command:

      keytool -import -noprompt -trustcacerts -keystore <keystorePath> -storepass <password> -alias <aliasName> -file <certificatePath>

      Where:
      -trustcacerts — Stores the certificate as a trusted certificate in the keystore
      -keystore — The full path of the keystore file (for example C:\certdb\ldaptruststore.jks)

      Note

      If the keystore does not already exist, the command creates a new keystore.

      -storepass — Stores the password. Keystore password must contain at least 6 characters.
      -alias — The alias, or nickname, of the certificate

      -file — The file path of the digital certificate (for example C:\ldapCert\cert6b.rfc)

      For example, the command to import the downloaded certificate might look as follows:

      keytool -import -noprompt -trustcacerts -keystore C:\certdb\ldaptruststore.jks -storepass bmcAdmin -alias bmcAlias -file C:\ldapCert\cert6b.rfc 
    4. List any available certificates in the keystore by using the following command:

      keytool -list -keystore C:\certdb\ldaptruststore.jks -storepass bmcAdmin

      Where:
      -list — Lists the available certificates in the store

      For example, using this command can result in the following:
      Keystore type: JKS
      Keystore provider: SUN
      Your keystore contains 1 entry
      cerqa6b, Aug 2, 2012, trustedCertEntry,
      Certificate fingerprint (MD5): 64:01:F3:E6:DD:A0:33:CA:E2:4A:92:50:10:51:59:70

    5. Configure the full path and file name of the certificate keystore in the Certificate Database field in the AREA LDAP Configuration and ARDBC LDAP Configuration forms. 

      Certificate Database field in the AREA LDAP Configuration form
       
      This configures the keystore in these forms.

Was this page helpful? Yes No Submitting... Thank you

Comments