Enabling LDAP plug-ins for SSL connections postupgrade

If you are upgrading from a version prior to 9.0 where you had configured the LDAP plugins, you must enable the LDAP plug-ins for Secure Sockets Layer (SSL) connections after an upgrade. If you are upgrading from version 9.0 or later, you can skip this procedure. For information about adding a certificate for SSL communication after a new installation, see Enabling-LDAP-plug-ins-for-SSL-connections-post-installation

The following steps are applicable for importing any cryptography for communication between the AREA LDAP Plugin and the Active Directory LDAP server regardless of the protocol, such as SSL and TLS. Implementation of a specific type of SSL or TLS depends on the certificate that you import and the operating system level settings that are implemented.

Migrating an LDAP certificate to the certificate database after an upgrade

To enable LDAP plug-ins for SSL connections in configured networks after an upgrade, you must add an LDAP certificate to the certificate database for SSL communication. LDAPJ plug-ins support SSL communication to the LDAP server. When you configure LDAP plug-ins that use SSL connections, you specify the path and file name of the Java keystore that contains the certificate. LDAPJ then uses the Java KeyStore (JKS) type to store the certificates.

Note

 Pre-8.1 releases use the NSS-based keystore. For more information, see Enabling LDAP plug-ins to establish SSL connections with LDAP servers in the Remedy AR System documentation.

In an upgrade scenario, if your AREA or ARDBC LDAP plug-ins are already configured to use SSL, you must migrate those certificates to the Java-based keystore.

To migrate an existing certificate for SSL communication after an upgrade

  1. To migrate the old certificates to the new Java-based keystore, perform the following steps:

    1. Locate the certificate path in the Certificate Database field in the AREA LDAP Configuration form or the ARDBC LDAP Configuration form.

    2. List all of the certificates from the configured certificate database by using following command:

      certutil -L -d <certificatePath>

      where certificatePath is the parent directory that contains the certificate database.

      For example, using this command provides the following results:
      my_x509_cert CT,P,P
      cert_ibmc_c8s25bs CT,P,P

    3. Select the certificate alias name that you want to use to export to the file.
    4. Export the certificate to a file:

      • To export a certificate database file that exists in the current directory to the my_x509_cert file, type the following command:

         

        certutil -L -a -n my_x509_cert -d . > C:\ldapCert\my_x509_cert.rfc

      • To export a certificate database file available in any location (which is not the current directory) to the my_x509_cert file, specify the -d parameter with the complete path of the certificate database files, as follows:

        certutil -L -a -n my_x509_cert -d C:\ldapCert > C:\ldapCert\my_x509_cert.rf

      • If the path includes spaces, enclose the path in double quotation marks as follows:

        -d "C:\Ldap Certs"

  2. Import the certificate by using the following command:

    keytool -import -noprompt -trustcacerts -keystore C:\certdb\ldaptruststore.jks -storepass mypassword
    -alias my_x509_cert -file my_x509_cert.rfc

    Note

    If the keystore does not already exist, this command creates a new keystore.

  3. Configure the full path and file name of the certificate keystore in the AREA LDAP Configuration form or ARDBC LDAP Configuration form.
  4. Restart the plug-in server to use the updated configuration.

Related topic

Integrating with a directory service

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*