How to configure the Nexus IQ Server to trust an LDAP Server SSL certificate

In the case of connecting the Nexus IQ Server to a secure LDAP Server using SSL ( ldaps:// ), it is common for the LDAP server to be using a self-signed certificate that the JVM running CLM server does not yet trust. A common error message in this case is:

javax.naming.CommunicationException: your.ldaps.host:XXXX [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

In order to establish trust of this self-signed certificate, you have to import the LDAP SSL certificate into a keystore file and feed this file as the truststore to the Nexus IQ Server.

Here is one way to create the truststore:

  1. echo -n | openssl s_client -showcerts -connect ldaphost:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
  2. keytool -import -file cert.pem -alias ad -keystore iqserver.ks -storepass secret

Then launch the Nexus IQ Server with the following additional option by editing your Nexus IQ Server init or launch script:

-Djavax.net.ssl.trustStore=/<full_path>/iqserver.ks
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk