RSA Product/ Service Type: Authentication Manager
RSA Version/Condition: 8.x
- Configuring an identity source to use LDAPS requires access to the Directory server itself to export the certificate, which may not be available.
- Getting the error message "Test failed. Unable to establish a connection to the directory" when trying to do a Test Connection on an existing or new identity source that uses LDAPS.
- In case of changed or renewed LDAPS directory server certificates, you need to update the Identity Source Certificates to add the new certificate without accessing the directory server itself.
-
Login to the Authentication Manager server using any SSH client (e.g. PuTTy), then type the following command
openssl s_client -connect <ldaps_server_fqdn or ip_address>:<ldaps_port>
In the example below, If the external Identity Source server FQDN is 2k8r2-dc1.2k8r2-vcloud.local and the LDAPS port is 636. See the example below for the output:
rsaadmin@am81p:~> openssl s_client -connect 2k8r2-dc1.2k8r2-vcloud.local:636
CONNECTED(00000003)
depth=0 /CN=2k8r2-dc1.2k8r2-vcloud.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=2k8r2-dc1.2k8r2-vcloud.local
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=2k8r2-dc1.2k8r2-vcloud.local
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=2k8r2-dc1.2k8r2-vcloud.local
i:/DC=local/DC=2k8r2-vcloud/CN=2k8r2-vcloud-2K8R2-DC1-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGJjCCBQ6gAwIBAgIKEsuj6gAAAAAABDANBgkqhkiG9w0BAQUFADBZMRUwEwYK
CZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgwyazhyMi12Y2xvdWQx
IjAgBgNVBAMTGTJrOHIyLXZjbG91ZC0ySzhSMi1EQzEtQ0EwHhcNMTQwOTExMDEy
ODQ5WhcNMTUwOTExMDEyODQ5WjAnMSUwIwYDVQQDExwyazhyMi1kYzEuMms4cjIt
dmNsb3VkLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArEKb
npC+gUgqm7G0CRDLJ1n1tG4J4eEfuzr9IHxvGMCnGC45HmhVdpGoiXTI3Wbjpccf
pE5fjEzTtgeVhvWokPLQk0XNjL3PflTaXPPlTKVQyVYLknODOsuA7arFUmVc1q/U
jx4zbF60jTJwRu7LHKbpsSJVEjsxw8pG+1tZXkMVUyIBuvUZtbXZd5jydHhp7HIj
pLjyPOhNH4Iv2txCdT+2TM+IBRfWTLwhRE23AGApbgpQFAoMthqPCrNfCwXU+rPw
WY9FgO0KQrTlWtBhKRKh3oQ3nca16nZ7cO/mF+/zzWtZEHvPocWtv6bxuXnV7xob
13Vl0JtaLYZLIj1W5QIDAQABo4IDIDCCAxwwLwYJKwYBBAGCNxQCBCIeIABEAG8A
bQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggq
hkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgB
ZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG
9w0DBzAdBgNVHQ4EFgQUy9sE6v+XKSINiffZkzTDyjsV/OEwHwYDVR0jBBgwFoAU
30PS6dNgHEGMrmSGD6iMf35LLagwgeAGA1UdHwSB2DCB1TCB0qCBz6CBzIaByWxk
YXA6Ly8vQ049Mms4cjItdmNsb3VkLTJLOFIyLURDMS1DQSxDTj0yazhyMi1kYzEs
Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9Mms4cjItdmNsb3VkLERDPWxvY2FsP2NlcnRpZmlj
YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Qb2ludDCB0gYIKwYBBQUHAQEEgcUwgcIwgb8GCCsGAQUFBzAChoGybGRhcDov
Ly9DTj0yazhyMi12Y2xvdWQtMks4UjItREMxLUNBLENOPUFJQSxDTj1QdWJsaWMl
MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
PTJrOHIyLXZjbG91ZCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0
Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBIBgNVHREEQTA/oB8GCSsGAQQB
gjcZAaASBBAhwKX+NTxET48lQ/oXB0hHghwyazhyMi1kYzEuMms4cjItdmNsb3Vk
LmxvY2FsMA0GCSqGSIb3DQEBBQUAA4IBAQCnX7nJC7NMSjSWedhJuE88UfCXMGMP
b9gU0YQZvGcNqcOkUpRcYLYjc4lapSTSno+hu1pQwQ+iZKxaFz9vDga6RC4TGUS2
T7KlCEl86DeiFjZrr+lvAvMwX9dwejHsm1O77xQV/KWlwRRQgGZksypSyoYdAKM8
ePmqjjU77+12tm5dK7Pp76LuHwh9Rg+UxliizrfKttZ0DNMnEMfDMu5sRbcr3C5N
0gWO0qlE7GCknP4Ai/QcqYVAwSjYwN4Bsdl5KUE9TrIHj0QEH19qMEVDFa7c0Wl5
BA1q3CeU+V4DtWR922nRZzmkybQo5bJrrKN39NwiCA/dE9LbM4OMxGRK
-----END CERTIFICATE-----
subject=/CN=2k8r2-dc1.2k8r2-vcloud.local
issuer=/DC=local/DC=2k8r2-vcloud/CN=2k8r2-vcloud-2K8R2-DC1-CA
---
Acceptable client certificate CA names
/DC=local/DC=2k8r2-vcloud/CN=2k8r2-vcloud-2K8R2-DC1-CA
/CN=2k8r2-dc1.2k8r2-vcloud.local
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 2836 bytes and written 477 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: BB08000096E8F94C2D986E6920D5BA2DA75DFA6C62D7F57C8C455F4121012EA9
Session-ID-ctx:
Master-Key: F10A0F66C04CA3DC62FB777BA60ABD7A77EE25116D30E1E29A2FA708F2558FF080131FC4B5FFC96...
Key-Arg : None
Start Time: 1434324010
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
--- -
Highlight and copy the output starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----, ensuring that those lines are copied as well. The information copied should look like the example below:
-
Paste the text into a text editor such as Notepad.
-
Choose File > Save As.
-
Click the drop-down for Save as type and select the All Files (*.*) option.
-
Save the file with a .cer extension (e.g. ldaps_cert.cer).
-
Login to the Primary server Operations Console to import the saved .cer file.
-
Select Deployment Configuration > Identity Sources > Identity Source Certificates > Add New
-
Give the certificate any name, then click Choose File and browse to the .cer file created in the previous step.
-
Click Save.
- This solution does not compromise any private information from the directory server.
- This solution only outputs the current public certificate used by the directory server for LDAPS connections without needing to login to the directory server and export it from there.
