Problem connecting LDAP SSL
Hello:
I try to connect IDM 6.0 SP1 wiht Sun Directory Server 5 (LDAP) using LDAP adapter. If i use non-secure port (389) it is OK and the connection work fine.
But if i try to use ssl port (636) i obtain error.
Directory Server is configure to work with both ports (389 and 636), it has enabled ssl and have a certificate (self-signed). Other aplication (ldap browser) can connect to ssl port without problem.
Is there another thing to do in machine running IDM? (for example, install the LDAP certificate) How i do this?
Both machines are Solaris 10 x86 and they are in same dns domain.
Thank
[637 byte] By [
Elecktrus] at [2007-11-26 10:57:50]
# 1
To connect to an SSL resource, you must have a certificate trust chain defined in the Java Virtual Machine in which the IDM is running. Not knowing what web server you are running IDM on, I must be general in my reply. You need to include the following system property definition in the java parameters for your JVM:
-Djavax.net.ssl.trustStore=<fully qualified path to a JKS keystore containing the trust chain for your self signed server cert>
e.g.
-Djavax.net.ssl.trustStore=/myapps/idm/truststore.jks
You can create the truststore using the keytool utility that comes with the Sun Java JDK (<JAVA_HOME>/bin/keytool) Hope this helps.
FYI - your browser queries to LDAP work because you have the trust chain stored in your browser certificate cache.
# 2
Hello, I'm just in the same situation.
I'm trying with both Tomcat5 and SJS AS9.
On both, when I test the ldap connection from IdM7 to Ldap, I see on the ldap server log an incoming connection on port 636 and nothing else.
I imported with keytool both my signing ca-cert and ldap-cert into the default AS keystore.jks (default password changeit).
I can list them with keytool, but something seems wrong even if I don't see any error in the AS server.log.
Did you find any other thing?
How could I get any debug info?
TIA
# 3
I reply to myself: it works fine both for IdM on Tomcat and on SJSAS.
These are the commands I used to export myCA-cert from DS keystore and import into the AS keystore:
certutil -L -d <ds-alias-dir> -P "<slapd-istance>-" -a -n myCA-cert > myCA-cert.rfc
keytool -import -keystore /opt/SJSASPE9/domains/domain1/config/keystore.jks -alias myCA-cert -file myCA-cert.rfc
