Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In

Quick Launch

Average Rating:

(2 Ratings)
facebook Twitter
Email
Print Bookmark Alert me when this article is updated

Feedback

HOW TO: Import certificates to the Trust Store to perform the sync with SSL Enabled LDAP server in Axon
Solution
Starting from Axon Data Governance 5.4, you can retrieve users from SSL enabled LDAP server. Refer to the Axon Admin Guide to get complete steps to retrieve users from SSL Enabled LDAP.

Following are the steps to import the certificates for the LDAP server to the Axon Trust Store. Contact your LDAP Admin to get the certificates for LDAP server. The certificates should be in PEM format. Check if the certificate is in PEM format using the following command:

openssl x509 -in <certificate_file> -inform pem -text -noout

If the contents of the certificate are displayed, then the certificate is in PEM format. If not, you need to convert it to PEM format. Refer the following instances to convert your certificate to PEM:

  • Converting DER to PEM:
openssl x509 -in certFile -inform DER -outform PEM -out convertedCertFile
  • Converting Base64 X.509 to PEM:
openssl x509 -in certF -outform PEM -out convertedCertFile

Note

If there are multiple certificates, then convert individual certificates to PEM and then concatenate them to create one PEM file.

Following are the instances to concatenate multiple PEM certificates:

cat first_cert.pem second_cert.pem > combined_cert.pem

Create a keystore which will act as Trust Store for Axon and store the LDAP server certificates. Use the following command to generate the keystore:

INSTALLATION_DIR>/axonhome/java/jre/bin/keytool -keystore <keystore_file_name> -genkey -alias <alias_name>

For instance:

<INSTALLATION_DIR>/axonhome/java/jre/bin/keytool -keystore clientkeystore -genkey -alias ldapClient

Now, import the PEM certificate to the keystore using the following command:

keytool -import -alias <keystore_alias_name> -file <LDAP_server_certificate_file> -keystore <keystore_file>

For instance:

keytool -import -alias ldapClient -file combined_cert.pem -keystore clientkeystore

In the Admin Panel, fill out the fields as follows while configuring LDAP :
  • LDAP SSL Certificate File: Path to the SSL certificate for the LDAP server. The SSL certificate file must be in the PEM format
  • Trust Store for LDAP Synchronization: Path to the keystore to which the PEM certificate has been imported
  • Trust Store Password for LDAP Synchronization: Password for the keystore to which the PEM certificate has been imported

Fill the remaining fields as per the Admin Guide.
More Information
To verify keystore the password, use the following command:

keytool -list -v -keystore <keystore_file>

This will prompt to enter the password. If the password is correct then the contents of the keystore is shown else the following error message is displayed:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Note
  • A .cer extension does not mean that the certificate is of DER format or a .pem extension does not mean that the certificate is in PEM format. Extensions should not be confused with certificate format
  • Ensure the CN(common name) in the certificate matches the value of the Host field in the LDAP configuration in the Axon Admin Panel. Since the certificate could be in PEM format, it could be opened in a VI editor to check the CN.
Reference
Applies To
Product:
Problem Type:
User Type:
Project Phase:
Product Version:
Database:
Operating System:
Other Software:
Attachments
Last Modified Date:11/29/2018 1:37 AMID:563318
People who viewed this also viewed

Feedback

Did this KB document help you?



What can we do to improve this information (2000 or fewer characters)