RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Component: Identity Sources, LDAPS

• You are configuring an identity source to use LDAPS but do not have direct access to the directory server to export the certificate

• You receive the following error when testing the connection on a new or existing LDAPS identity source:

  Test failed. Unable to establish a connection to the directory

• The LDAPS directory server certificate has been changed or renewed, and you need to update the Identity Source Certificates in Authentication Manager without accessing the directory server directly

This article covers the following tasks:

1. Retrieve the LDAPS certificate from the external directory server using OpenSSL
2. Import the certificate into Authentication Manager and configure the identity source to use LDAPS

Task 1: Retrieve the LDAPS Certificate Using OpenSSL

1. Log in to the Authentication Manager server using an SSH client such as PuTTY.
   NOTE: If SSH is not enabled on the Authentication Manager instance, enable it before proceeding. For instructions, see Enable Secure Shell

2. Run the following command to connect to the LDAPS port on the directory server. Replace <ldaps_server_fqdn> with the FQDN or IP address of your directory server, and <ldaps_port> with the LDAPS port number (typically 636):

   rsaadmin@am:~> openssl s_client -connect 2k8r2-dc1.2k8r2-vcloud.local:636
   CONNECTED(00000003)
   depth=0 /CN=2k8r2-dc1.2k8r2-vcloud.local
   verify error:num=20:unable to get local issuer certificate
   verify return:1
   depth=0 /CN=2k8r2-dc1.2k8r2-vcloud.local
   verify error:num=27:certificate not trusted
   verify return:1
   depth=0 /CN=2k8r2-dc1.2k8r2-vcloud.local
   verify error:num=21:unable to verify the first certificate
   verify return:1
   ---
   Certificate chain
   0 s:/CN=2k8r2-dc1.2k8r2-vcloud.local
      i:/DC=local/DC=2k8r2-vcloud/CN=2k8r2-vcloud-2K8R2-DC1-CA
   ---
   Server certificate
   -----BEGIN CERTIFICATE-----
   MIIGJjCCBQ6gAwIBAgIKEsuj6gAAAAAABDANBgkqhkiG9w0BAQUFADBZMRUwEwYK
   CZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgwyazhyMi12Y2xvdWQx
   IjAgBgNVBAMTGTJrOHIyLXZjbG91ZC0ySzhSMi1EQzEtQ0EwHhcNMTQwOTExMDEy
   ODQ5WhcNMTUwOTExMDEyODQ5WjAnMSUwIwYDVQQDExwyazhyMi1kYzEuMms4cjIt
   dmNsb3VkLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArEKb
   npC+gUgqm7G0CRDLJ1n1tG4J4eEfuzr9IHxvGMCnGC45HmhVdpGoiXTI3Wbjpccf
   pE5fjEzTtgeVhvWokPLQk0XNjL3PflTaXPPlTKVQyVYLknODOsuA7arFUmVc1q/U
   jx4zbF60jTJwRu7LHKbpsSJVEjsxw8pG+1tZXkMVUyIBuvUZtbXZd5jydHhp7HIj
   pLjyPOhNH4Iv2txCdT+2TM+IBRfWTLwhRE23AGApbgpQFAoMthqPCrNfCwXU+rPw
   WY9FgO0KQrTlWtBhKRKh3oQ3nca16nZ7cO/mF+/zzWtZEHvPocWtv6bxuXnV7xob
   13Vl0JtaLYZLIj1W5QIDAQABo4IDIDCCAxwwLwYJKwYBBAGCNxQCBCIeIABEAG8A
   bQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMC
   BggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggq
   hkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgB
   ZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG
   9w0DBzAdBgNVHQ4EFgQUy9sE6v+XKSINiffZkzTDyjsV/OEwHwYDVR0jBBgwFoAU
   30PS6dNgHEGMrmSGD6iMf35LLagwgeAGA1UdHwSB2DCB1TCB0qCBz6CBzIaByWxk
   YXA6Ly8vQ049Mms4cjItdmNsb3VkLTJLOFIyLURDMS1DQSxDTj0yazhyMi1kYzEs
   Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
   PUNvbmZpZ3VyYXRpb24sREM9Mms4cjItdmNsb3VkLERDPWxvY2FsP2NlcnRpZmlj
   YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
   b25Qb2ludDCB0gYIKwYBBQUHAQEEgcUwgcIwgb8GCCsGAQUFBzAChoGybGRhcDov
   Ly9DTj0yazhyMi12Y2xvdWQtMks4UjItREMxLUNBLENOPUFJQSxDTj1QdWJsaWMl
   MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
   PTJrOHIyLXZjbG91ZCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0
   Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBIBgNVHREEQTA/oB8GCSsGAQQB
   gjcZAaASBBAhwKX+NTxET48lQ/oXB0hHghwyazhyMi1kYzEuMms4cjItdmNsb3Vk
   LmxvY2FsMA0GCSqGSIb3DQEBBQUAA4IBAQCnX7nJC7NMSjSWedhJuE88UfCXMGMP
   b9gU0YQZvGcNqcOkUpRcYLYjc4lapSTSno+hu1pQwQ+iZKxaFz9vDga6RC4TGUS2
   T7KlCEl86DeiFjZrr+lvAvMwX9dwejHsm1O77xQV/KWlwRRQgGZksypSyoYdAKM8
   ePmqjjU77+12tm5dK7Pp76LuHwh9Rg+UxliizrfKttZ0DNMnEMfDMu5sRbcr3C5N
   0gWO0qlE7GCknP4Ai/QcqYVAwSjYwN4Bsdl5KUE9TrIHj0QEH19qMEVDFa7c0Wl5
   BA1q3CeU+V4DtWR922nRZzmkybQo5bJrrKN39NwiCA/dE9LbM4OMxGRK
   -----END CERTIFICATE-----
   subject=/CN=2k8r2-dc1.2k8r2-vcloud.local
   issuer=/DC=local/DC=2k8r2-vcloud/CN=2k8r2-vcloud-2K8R2-DC1-CA
   ---
   Acceptable client certificate CA names
   /DC=local/DC=2k8r2-vcloud/CN=2k8r2-vcloud-2K8R2-DC1-CA
   /CN=2k8r2-dc1.2k8r2-vcloud.local
   /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
   /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
   /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
   /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
   /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
   /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
   /CN=NT AUTHORITY
   ---
   SSL handshake has read 2836 bytes and written 477 bytes
   ---
   New, TLSv1/SSLv3, Cipher is AES128-SHA
   Server public key is 2048 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   SSL-Session:
       Protocol  : TLSv1
       Cipher    : AES128-SHA
       Session-ID: BB08000096E8F94C2D986E6920D5BA2DA75DFA6C62D7F57C8C455F4121012EA9
       Session-ID-ctx:
       Master-Key: F10A0F66C04CA3DC62FB777BA60ABD7A77EE25116D30E1E29A2FA708F2558FF080131FC4B5FFC96...
       Key-Arg   : None
       Start Time: 1434324010
       Timeout   : 300 (sec)
       Verify return code: 21 (unable to verify the first certificate)
   ---

3. From the command output, highlight and copy everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including those lines.
    
   
4. Paste the copied text into a text editor such as Notepad. 
    
   

5. Save the file with a .cer extension:

   • Select File > Save As
   • In the Save as type drop-down, select All Files (.)
   • Name the file with a .cer extension (e.g., ldaps_cert.cer)
   • Click Save
     
      

Task 2: Import the Certificate and Configure the Identity Source to Use LDAPS

6. Log in to the Primary server Operations Console.

7. Navigate to Deployment Configuration > Identity Sources > Identity Source Certificates > Add New.

8. Enter a descriptive name for the certificate, then click Choose File and browse to the .cer file saved in Step 5.

9. Click Save.
   
   

10. Verify: Navigate to Deployment Configuration > Identity Sources and select your identity source. Ensure the following before testing the connection:
    • The directory server URL is using the ldaps:// prefix. If it is still set to ldap://, update it to ldaps:// and set the port to 636
    • The Directory User ID is correctly configured with the appropriate credentials
    • Click Test Connection and confirm the connection test succeeds without errors

• The OpenSSL command only retrieves the public certificate used by the directory server for LDAPS connections. No private information from the directory server is exposed or compromised.
  
  
• This article assumes that port 636 (LDAPS) is open and allowed in the firewall between the Authentication Manager server and the directory server. If port 636 is blocked, the OpenSSL command will fail to connect and no certificate will be returned. Ensure the port is allowed before proceeding.
  
  
• Running the following command against the LDAPS port (typically 636) should return TLS connection information and the directory server's public certificate:

  openssl s_client -connect <ldaps_server_fqdn>:636

Note: If running the OpenSSL command against port 636 behaves the same as running it against port 389 (i.e., no certificate is returned), your Domain Controller or LDAP server is not configured for LDAPS encryption. In this case, LDAPS cannot be enabled, and no configuration changes on the RSA Authentication Manager side will resolve this. Contact your directory server administrator to enable LDAPS on the server.

For a step-by-step video guide, please refer to this YouTube tutorial: here