000016954 - Connect to ldap using encrypted (ssl) port

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000016954
Applies ToRSA DLP Enterprise Manager  DLP Version Previous to 9.6-SP2.
This procedure will work with the following versions.
IssueConnect to ldap using encrypted (ssl) port
Error: "At least one LDAP parameter is incorrect."
ResolutionEither the ldap server certificate (if self signed) or the signing chain for the ldap server certificate must be imported into the CA certs file of the JRE used by Enterprise Manager.
This affects the configuration item at Admin->Settings->LDAP Configuration where the user can check the checkbox for Encrypted.
1) Open a command prompt and go to the C:\Program Files\RSA\JRE\lib\security folder (or other if EM is in non-default location)
2) Run the following at the command prompt:
keytool -import -file <ldapserver>.cer -keystore cacerts -storepass changeit -alias <ldapserver>
where <ldapserver> is replaced by a friendly name for the ldap server host or the signing authority as applicable
Note: There may be a chain leading to the root certificate so the step may need to be repeated for each certificate in the chain.  If you do need to add multiple certificates make sure to specify a different alias name for each import.
For example:  ..\..\bin\keytool.exe

keytool -import -file internalroot.cer -keystore cacerts -storepass changeit -alias ldaproot

keytool -import -file cainternal2.cer -keystore cacerts -storepass changeit -alias ldapca2
The keytool command is located in the INSTALLDIR\RSA\JRE\bin folder.
Use relative path  run command. (example:

3) Restart the Enterprise Manager service

4) In the Enterprise Manager, navigate to  Admin->Settings->LDAP Configuration, select the desired  LDAP Configuration and click edit.
5) Add a check mark in the box for "Encrypted:"
The port will automatically change to the default encrypted ldap port 636
Legacy Article IDa54480