How to use SSL LDAP to sync an external VPC respository
This document (7011953) is provided subject to the disclaimer at the end of this document.
When trying to synchronize an external VPC repository over Secure Socket Layer connection to an LDAP server, no data is synchronized. The VPCSyncDebug Log reports errors, unable to access the socket.
If you are synchronizing an external repository with VPC server using an SSL LDAP configuration, follow the instructions below :
1. Create a Certificate authority (CA) in the Active Directory that will be synchronized.
2. Once the CA is created, export it.
- Open command prompt with administrator permissions, set the path were the CA will be saved. (e.g. C:\Users\Administrator\Desktop\test>)
- Execute this command: certutil -ca.cert client.crt
- Verify that the folder “test” will contain a CA named “client.crt”
3. Copy the "client.crt" CA.
4. Go to VPC server and paste the CA “client.crt”. (e.g. C:\Users\Administrator\Desktop\test\clinet.crt)
5. To import the CA open a command prompt and Execute the following command:
C:\Users\Administrator\Desktop\test>"%JAVA_HOME%/bin/keytool" -import -file client.crt –keystore "%JAVA_HOME%/lib/security/cacerts" -alias adserv
NOTE: JAVA_HOME is a environmental variable that was created in System Properties>Advanced>Environmental Variables>System Variables
JAVA_HOME = C:\Program Files (x86)\Java\jre6 (when you create this variable please verify the path of java installation)
6. After execute the step 4, a password will be required
- Enter keystore password:
- By default the password is "changeit" (without quotation marks)
- Set the password and press enter.
7. A message indication "Trust this certificate? [no]:"
8. Set yes and press enter
9. The following message should be displayed:
- Certificate was added to keystore
10. Re-start VPC Service
11. Open VPC Administration Site
12. Go to Repository Tab and click add repository button to synchronize the External repository that have the same CA that we import to the VPC Server Machine.
13. In LDAP configuration area set the fields “Use SSL” and “LDAP URL” similar to following example:
- Use SSL: Check
- LDAP URL: ldaps://IP or name:636 (e.g. ldaps://10.31.176.69:636)
14. Synchronize the external repository.
The External repository should be successfully sync using SSL LDAP configuration.
- If the Active Directory machine already have a CA is not necessary to create a new one. You can start in step 4 but instead of use “client.crt” as the example does, please use the CA that the Active Directory has.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7011953
- Creation Date:14-MAR-13
- Modified Date:20-MAR-13
- NetIQVigilEnt Policy Center
Did this document solve your problem? Provide Feedback