I’m trying to set up our TRC server, using AD authentication via LDAP/SSL. I’ve verified that the LDAP account can bind without SSL, and am now trying to establish a proper SSL setup. Our vendor CA is InCommon; they chain off the AddTrust External CA. The domain controllers have InCommon certificates on their LDAP service; I have verified with openssl s_client that the certs are installed.
With ldap.security_protocol=ssl, however, the connection fails due to certificate chaining. However, I’m thoroughly lost on how to configure the LDAP client with the right intermediates/roots.
Does the LDAP client take advantage of the java/jre/lib/security/cacerts store?
AddTrust is in this file.
Should I add the intermediate there?
What file should ldap.ssl_keyStore refer to?
The cacerts store?
A new keystore that I haven’t created yet?
Is that where the intermediate should go?
All of this is before I even tackle a proper cert for the incoming HTTPS connections. Should these be the same keystore as above?
Export the root CA public key certificate from the Microsoft Activity Directory Certificate Services keystore as a Base-64 encoded X.509 certificate (*.cer).
Copy the *.cer to a location in the RC server
In the RC server, navigate to C:\Program Files (x86)\IBM\Tivoli\TRC\server\java\jre\bin and double click on ikeyman.bat
Click on “Open” and select PKCS12 as DB-Type
In file name, click browse and navigate to the following location: C:\Program Files (x86)\IBM\Tivoli\TRC\server\wlp\usr\servers\trcserver\resources\security\key.jks (this path may be slightly different depending on installation options, platform, etc)
The default password is WebAS or TrCWebAS (depending on the version, refer to the relevant documentation for your version in Infocenter)
Select Signer Certificates from the drop down menu and click on “Add”, Navigate to and select your .cer file (Note: It will prompt you to open an ".arm" certificate, ignore this and open your *cer). Provide a label as requested (it can be anything, for instance “TRCLDAP”).
Now we need to change some settings in the ldap.properties file.Locate the ldap.properties file and:
Ensure you add the “s” to ldap and the port number to the connection url and the port number is specified to 636:
ldap.connectionURL=ldaps://yourldapserver:636
Save the changes and restart the TRC service.
Let me know how you get on. Remember to restart the RC server service after importing the certificate and updating the ldap properties.
Export the root CA public key certificate from the Microsoft Activity Directory Certificate Services keystore as a Base-64 encoded X.509 certificate (*.cer).
Copy the *.cer to a location in the RC server
In the RC server, navigate to C:\Program Files (x86)\IBM\Tivoli\TRC\server\java\jre\bin and double click on ikeyman.bat
Click on “Open” and select PKCS12 as DB-Type
In file name, click browse and navigate to the following location: C:\Program Files (x86)\IBM\Tivoli\TRC\server\wlp\usr\servers\trcserver\resources\security\key.jks (this path may be slightly different depending on installation options, platform, etc)
The default password is WebAS or TrCWebAS (depending on the version, refer to the relevant documentation for your version in Infocenter)
Select Signer Certificates from the drop down menu and click on “Add”, Navigate to and select your .cer file (Note: It will prompt you to open an ".arm" certificate, ignore this and open your *cer). Provide a label as requested (it can be anything, for instance “TRCLDAP”).
Now we need to change some settings in the ldap.properties file.Locate the ldap.properties file and:
Ensure you add the “s” to ldap and the port number to the connection url and the port number is specified to 636:
ldap.connectionURL=ldaps://yourldapserver:636
Save the changes and restart the TRC service.
Let me know how you get on. Remember to restart the RC server service after importing the certificate and updating the ldap properties.
Thank you! Using your instructions, I added the CA’s provided AddTrustExternalCARoot.crt to the key.jks file.
As additional detail, it is not sufficient to use Admin -> Reset Application. A full restart of the server is required; as I’m on RHEL, it was
service trcserver restart
.
I suggest that this information for LDAP SSL connections be added to the relevant installation and administration manuals.