The CreatorCon Call for Content is officially open! Get started here.

LDAP with SSL using MID Server

jonas_franzen
Kilo Explorer

‎12-13-2013 02:23 AM

Anyone know the reason why the SSL checkbox should disappear when using a midserver for LDAP?

Ive seen the note ""Note: The SSL connection is not available with the MID Server."" on this page https://wiki.servicenow.com/index.php?title=LDAP_Integration_Setup#Step_5._Set_Connection_Properties .
But if I use the instructions from this page http://wiki.servicenow.com/index.php?title=MID_Server_Configuration#Adding_SSL_Certificates to add a certificate to the mid-server and change the ldap-link to "ldaps://server.domain:636" it seems to be working…

BTW whats the default password for the cacerts keystore?
Whats does it contain by default?
I had to rename the default keystore and created a new one setting my own password.

0 Helpfuls
  • 16,097 Views
17 REPLIES 17

Mark_Didrikson
ServiceNow Employee
ServiceNow Employee
In response to johnnyjava

‎08-17-2015 07:42 PM

Thanks!   We were able to get this working.



Thanks again.


0 Helpfuls

ajbarnes
Tera Expert
In response to Mark_Didrikson

‎08-18-2015 06:23 AM

Mark Didrikson While you have it fresh in your mind, why don't you document your steps here.


0 Helpfuls

ravish2k
Tera Contributor
In response to johnnyjava

‎12-19-2018 08:47 AM

Hi Johnny/ All,

I'm also facing this issue during London upgrade, i tried this command provided by you but its not working.

As per below URL, I have few doubts if you can resolve it. 

https://docs.servicenow.com/bundle/london-servicenow-platform/page/product/mid-server/task/add-ssl-certificates.html

find_real_file.png

issue 1) agent/jre/lib/security/cacerts: in our mid server, we dont have cacerts folder so I'm using below command but its not working.

d:\\path\jre\bin>keytool -import -alias mycer -file "D:\keystore\mycer.cer" -storepass changeit -keystore "d:\Server\Apps\ServiceNow\agentWK01\jre\lib\security"

find_real_file.png

 

find_real_file.png

I have full mid server access so i have stored certificate file in d drive under D:\keystore\mycer.cer, but still i'm getting x.509 certificate error.

Could you pls let me know where I'm doing mistake? Thank you! Ravi

 

Preview file
32 KB
Preview file
24 KB
Preview file
34 KB
0 Helpfuls

johnram
ServiceNow Employee
ServiceNow Employee
In response to ajbarnes

‎09-18-2017 10:26 AM

The ServiceNow Wiki content is no longer supported. Updated information about this topic is located here: MID Server Configuration




Visit http://docs.servicenow.com for the latest product documentation


0 Helpfuls

John Rausch
Tera Contributor

‎06-13-2017 06:10 AM

I came across this post while working on moving from using ldap to ldaps with our midserver. The steps here gave me hints but I still had some confusion so i'll list the steps I took.



So we already had ldap setup through our midserver and I thought it was going to be as simple as changing the ldap url to ldaps://xxxxx:636/ but then I received:



sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Unable to find certificate chain.



I couldn't find an exact match on google but I found some clues. I knew I needed to get a certificate from our ldap server so I first had so reach out and find out where to get that from. Do be a silo and think you can find everything on your own, ask people. Once I got the certificate (a .crt file) I needed to add it to the cert chain cacert on our mid server.



Our midserver is a REHL7 linux box that hosts our sandbox, dev, and test midservers.



- I first SFTP'd to the server and dropped the .crt file in my home directory.


- Then I SSH'd to the server and made checked if we had keytool available globally:


        keytool -h


- We did, so I did not have to cd to the jre folder in our midserver installation.


- Now that the file is in my home directory and we have the ability to run keytool I just needed to add the .crt to the key chain.



        keytool -importcert -noprompt -trustcacerts -alias <?ANY NAME YOU WANT?> -file <?PATH TO YOUR CERT?> -storepass changeit -keystore <?PATH TO YOUR CACERT KEYSTORE FOR MIDSERVER?>



        <?PATH TO YOUR CERT?> = this is the path to your certificate so in my case it was /home/my_name/my_cert.crt


        <?PATH TO YOUR CACERT KEYSTORE FOR MIDSERVER?> = this is the path to the cacerts file for your midserver so first find the path to the midserver and then the cacerts file is in jre/lib/security/cacerts


        <?ANY NAME YOU WANT?> = this value can be whatever you want it to be as long as it does not conflict with the name of another cert in your keystore. You can check the values in your keystore by navigating to <?PATH TO YOUR CACERT KEYSTORE FOR MIDSERVER?> and running


                  keytool -list -storepass changeit -keystore cacerts


- after you add your cert(s) to the keystore you will NEED to restart your midserver


- after your midserver successfully restarts and your Servicenow instance displays your midserver as up you can now test your ldap server using the ldaps://xxxxx:636 url.


- it should connect successfully now.



A few notes:


- the default password is changeit so if someone else set your midserver up they could have changed it and you will have to ask around again.


- I used .crt and I have seen others use .pem files so I think multiple types of files are allowed in the keystore.


- you do NOT need to set the SSL check box on your service now instance ldap server.


- The person who gave me the certs i needed sent 2 over. I added one first and received:


        sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: TrustAnchor found but


        certificate validation failed.


- But then I added the second and my connection succeeded.



John