The CreatorCon Call for Content is officially open! Get started here.

LDAP with SSL using MID Server

jonas_franzen
Kilo Explorer

‎12-13-2013 02:23 AM

Anyone know the reason why the SSL checkbox should disappear when using a midserver for LDAP?

Ive seen the note ""Note: The SSL connection is not available with the MID Server."" on this page https://wiki.servicenow.com/index.php?title=LDAP_Integration_Setup#Step_5._Set_Connection_Properties .
But if I use the instructions from this page http://wiki.servicenow.com/index.php?title=MID_Server_Configuration#Adding_SSL_Certificates to add a certificate to the mid-server and change the ldap-link to "ldaps://server.domain:636" it seems to be working…

BTW whats the default password for the cacerts keystore?
Whats does it contain by default?
I had to rename the default keystore and created a new one setting my own password.

0 Helpfuls
  • 16,094 Views
17 REPLIES 17

johnnyjava
Kilo Guru
In response to jonas_franzen

‎07-17-2015 11:28 AM

Yes, adding the cert to the MidServer bundled jre truststore is what worked for me too.



agent/jre/bin/keytool -importcert -noprompt -trustcacerts -alias AD_SERVER_NAME -file ../PATH/SERVER_CERT.pem -storepass changeit -keystore agent/jre/lib/security/cacerts


Don't forget to restart your mid instance for the keystore addition to take effect. How does one go about getting this in the actual wiki?



Also, if the MidServer performs an auto-upgrade, is the jre upgraded and this file replaced with a fresh cacerts?



It would seem to me that the SSL Certificates could be distributed to the MidServers the same way other files are. Suppose I could add that to my list of things to get around to.


Mark_Didrikson
ServiceNow Employee
ServiceNow Employee
In response to johnnyjava

‎08-17-2015 03:19 AM

Did this allow you to connect via port 636 using the Mid Server?



Thanks!



Mark Didrikson


0 Helpfuls

johnnyjava
Kilo Guru
In response to Mark_Didrikson

‎08-17-2015 04:07 AM

Yes, adding the certificate to the Mid Server Instance truststore will get you past this error:




""sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.""




Remember you must stop and start the Mid Server instance again for the SSL certs to be re-parsed.


Mark_Didrikson
ServiceNow Employee
ServiceNow Employee
In response to johnnyjava

‎08-17-2015 01:11 PM

Thanks.   Did you have to extract your certificate from your LDAP server and convert it to .pem format?



Do you need to upload it to the ServiceNow instance also?



Thanks again for your help!


0 Helpfuls

johnnyjava
Kilo Guru
In response to Mark_Didrikson

‎08-17-2015 01:18 PM

Yes, I used the following command:



openssl s_client -connect example.com:443


to capture the PEM format of the cert directly from the LDAP/AD server. (requires copy and paste and then ctrl-c to exit)



Since the SSL connection takes place inside my network from a Mid Server instance, the cert must be installed as trusted in the cacerts file of the jre bundled with the Mid Server instance.



Since the SSL connection is not originated from ServiceNow, you do not need to upload the cert there. It actually would be a nice feature if the certs could be pushed out to the Mid Servers just like other files are. (Mibs and Mid Server Script Includes)


0 Helpfuls