000032010 - Invalid parameters error when enabling the encryption checkbox in the LDAP configuration in RSA DLP

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032010
Applies ToRSA Product Set: DLP
RSA Product/Service Type: Enterprise Manager (EM)
IssueThe LDAP parameters have been configured properly and the user is able to verify the LDAP parameters correctly.  However, when enabling the encryption checkbox the LDAP parameters do not get verified.
ResolutionThis issue occurs because EM is not able to verify the LDAP server certificate to establish the secure connection with the LDAP server.
The LDAP server certificate (if self signed) or the signing chain for the LDAP server certificate must be imported into the CA certs file of the JRE used by Enterprise Manager.
  1. On the EM system, open a command prompt and go to the C:\Program Files\Java\jre1.7.x\bin folder.
  2. Run the following at the command prompt, where <ldapserver> is replaced by a friendly name for the ldap server host or the signing authority as applicable:
    keytool -import -file <ldapserver>.cer -keystore cacerts -storepass changeit -alias <ldapserver>

    Note: There may be a chain leading to the root certificate so the step may need to be repeated for each certificate in the chain. 
    If you do need to add multiple certificates make sure to specify a different alias name for each import.
    For example:

    keytool -import -file internalroot.cer -keystore cacerts -storepass changeit -alias ldaproot

    keytool -import -file cainternal2.cer -keystore cacerts -storepass changeit -alias ldapca2

  3. Restart the Enterprise Manager service.
  4. In the Enterprise Manager, navigate to  Admin -> Settings -> LDAP Configuration, select the desired LDAP Configuration and click Edit.
  5. Add a check mark in the box for Encrypted.  The port will automatically change to the default encrypted LDAP port 636
Note: Make sure that the LDAP name in the Enterprise Manager UI is the name of the LDAP server and not an IP.