If you want Tivoli Directory Integrator (TDI ) to connect to a secure LDAP server (LDAPS) via SSL you need to import the SSL root certificate of the LDAP server into your TDI configuration. This article describes the basics how to do that.
For the TDI configuration included in IBM Connections the steps are as described below:
- First, get the root certificate of your LDAP server. This can most easily be done with OpenSSL:
openssl s_client -connect <hostname of ldap server>:636 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > <filename for certificate>.cer
If you do not have “sed” available you can just manually extract all lines from “—BEGIN CERTIFICATE—” to “—END CERTIFICATE—” with a text editor and save this section.
- Now you need to import this certificate into the TDI JKS keystore.
You can either do that via the IBM IKEYMAN utility or, faster, via the command line (start the command from the “…\TDISOL\serverapi” directory):
<TDI program directory>/jvm/jre/bin/keytool -import -trustcacerts -alias <alias name for certificate> -file <filename of the certificate>.cer -keystore testadmin.jks -storepass administrator
E.g.:
/opt/IBM/TDI/V7.1/jvm/jre/bin/keytool -import -trustcacerts -alias LDAP-Certificate -file ldaproot.cer -keystore testadmin.jks -storepass administrato
You need to confirm with “yes” that you trust this certificate.
- If you still get SSL errors in the IBMDI.LOG (like “Keystore was tampered with, or password was incorrect”) open the file “<TDI program directory>/etc/global.properties” with a text editor.
Find the sections “## server authentication” and “## client authentication” and replace the line “#{protect}-javax.net.ssl.trustStorePassword={encr}……..” with the line “{protect}-javax.net.ssl.trustStorePassword=administrator” in both sections.
Now your TDI should be able to successfully connect to your secure LDAP server.
Update:
Please make sure that you use the “testadmin.jks” in the “serverapi” directory of your TDI solutions directory (e.g. “TDISOL/serverapi”)!