How to configure the Nexus IQ Server to trust an LDAP Server SSL certificate

In the case of connecting the Nexus IQ Server to a secure LDAP Server using SSL ( ldaps:// ), it is common for the LDAP server to be using a self-signed certificate that the JVM running CLM server does not yet trust. A common error message in this case is:

javax.naming.CommunicationException: [Root exception is PKIX path building failed: unable to find valid certification path to requested target]

In order to establish trust of this self-signed certificate, you have to import the LDAP SSL certificate into a keystore file and feed this file as the truststore to the Nexus IQ Server.

Here is one way to create the truststore:

  1. echo -n | openssl s_client -showcerts -connect ldaphost:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldaps.pem
  2. keytool -import -file ldaps.pem -alias ad -keystore iqserver.ks -storepass changeit

Then launch the Nexus IQ Server with the following additional option by editing your Nexus IQ Server init or launch script:<full_path>/iqserver.ks
Have more questions? Submit a request


Article is closed for comments.