In the case of connecting the Nexus IQ Server to a secure LDAP Server using SSL ( ldaps:// ), it is common for the LDAP server to be using a self-signed certificate that the JVM running CLM server does not yet trust. A common error message in this case is:
javax.naming.CommunicationException: your.ldaps.host:XXXX [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
In order to establish trust of this self-signed certificate, you have to import the LDAP SSL certificate into a keystore file and feed this file as the truststore to the Nexus IQ Server.
Here is one way to create the truststore:
echo -n | openssl s_client -showcerts -connect ldaphost:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldaps.pem
keytool -import -file ldaps.pem -alias ad -keystore iqserver.ks -storepass changeit
Then launch the Nexus IQ Server with the following additional option by editing your Nexus IQ Server init or launch script: