000031863 - Enabling Secure LDAP (LDAPS) between an RSA Data Loss Prevention Enterprise Manager server and an LDAP server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031863
Applies ToRSA Product Set: Data Loss Prevention
RSA Product/Service Type: Enterprise Manager
RSA Version/Condition: 9.6 SP2
O/S Version: Windows 2008 Server R2 Standard (64 bit)
IssueThis article provides steps on how to enable secure LDAP (LDAPS) between an RSA Data Loss Prevention Enterprise Manager server and an LDAP server.
ResolutionOn the LDAP server/domain controller hosting the Active Directory, of which RSA DLP is a member, import the certificate of the LDAP server:
  1. In the Run box, type mmc and press Enter.
  2. In the MMC interface, select File > Add/remove snap-in.
  3. Select Certificates from the list of available snap-ins and add it.  At the prompt select Computer Account  then click Next and Finish
  4. On the left pane, expand Certificates and select Personal > Certificates.
  5. Right-click on the certificate that has the hostname of the server with the longest Expiration Date.
  6. Click Export and select No, Do not export private key.
    Select DER encoded binary  x509 (.CER) and click Next.
  7. Browse for the destination where the certificate will be exported and name it,  For example, ldapserver.
  8. Click Next and Finish.
  9. Move the exported certificate to the root folder on the C:\ drive of your RSA DLP Enterprise Manager server.
On the RSA Data Loss Prevention Enterprise Manager server: 
  1. In the Run box, type cmd.  When the program displays, right click and choose Run as administrator.
  2. Navigate to C:\Program Files\Java\jre1.7.0_25\lib\security.
  3. Run the following command:
"C:\Program Files\Java\jre1.7.0_25\bin\keytool.exe" -import -file C:\<certname>.cer -keystore cacerts -storepass changeit

  1. Using the command below, verify that the LDAP certificate has been added to keystore:
C:\Program Files\Java\jre1.7.0_25\bin>keytool -list -keystore "C:\Program Files\Java\jre1.7.0_25\lib\security\cacerts" -storepass changeit -v > C:\dumpcerts.txt

  1. Using a text editor, open the dumpcert.txt file.  The certificate should be listed in the file.
  2. In the EM GUI go to > Settings > LDAP Configuration > port = 636 then check the Encrypted box.