Hey Guys,
If anyone has done the enablement of TLS between ADAM source and LDAP server kindly guide me with steps .
BR,
Apoorv
Hi @Apoorv0802 ,
If you have your LDAP root certificate, you can copy this certificate file into /home/sailpoint/certificate and in your source configuration you can enable TLS and using the correct port.
how to get that ldap root certificqate and once we get it do we just need to pur it in VA ? and enable tls>?
do we just need to pur it in VA ? ==> Yes
enable tls>? ==> Yes. You can enable TLS when setup your LDAP connexion configuration.
To get the certificate you ask your Team who is responsible for that.
And also, if TLS is enable into your LDAP Server.
You can verify and extract it by us with openssl command from your va and copy the file into your the certificates directory.
Please refer to Virtual Appliance Troubleshooting Guide - Compass (sailpoint.com)
openssl s_client -connect server.domain.local:port
server.domain.local is the host name of your LDAP Server.
And port is the ssl confiured in your LDAP Server (636 for example)
In the result of command you will see so a block contain ni ----- BEGIN CERTIFICATE ---- xxxxxxxxxx ------ END CERTIFICATE -----------------.
Copy and paste this block into file with .cer extension (example : LDAP-Certificate.cer) and paste this file into /sailpoint/home/certificates
This is an alternative to retrieve the certificate but your LDAP team can provide this certificate directly and you must put it in the same VA directory /sailpoint/home/certificate
can u pls give me an example of a server how can i put in the command?
openssl s_client -connect server.domain.local:port
server.domain.local is the url of your ldap server and you can try port 636.
for example my server is like this usawsaagd222.corp.xyzzx.com and port is 12389
so can i give command like below?
openssl s_client -connect usawsaagd222.corp.xyzzx.com:12389 .com:12389
Yes, you can use this command into your virtual appliance server to check if certificate existe :
openssl s_client -connect usawsaagd222.corp.xyzzx.com:12389
hey when i tried the command couldnt connect with hostname but with ip address so i am gettign below error what does it mean :
CONNECTED(00000003)
write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 299 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
no peer certificate available ==> That mean SSL is not configured in your LDAP or you’re not use the correct SSL port
Ask the team that manage your LDAP.
no but now i got certificate once i used 636 port nmber instead of 12389 but still when i eabled tls i got error
and in cert as well i got one error
CONNECTED(00000003)
Can’t use SSL_get_servername
do we need to include the start and end of the cert as well or the content between start and end
hey i took the cert from the ldap team and put it in the VA but still tls is not succesfull ??
Hi @Apoorv0802,
Are you user that you have all your certification chain ?
Try to use a LDAP browser (Apache Directory Studio or LDAP Softerra, LDAP Admin or all others LDAP Browser) to validate that you are able to connect into your LDAP by using SSL port.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.