Troubleshooting
Problem
The SET LDAPPASSWORD command is used to configure an IBM Spectrum Protect server that is integrated with a Lightweight Directory Access Protocol (LDAP) server. The command fails with the ANR3116E error message.
Symptom
The following messages are displayed in the activity log of the IBM Spectrum Protect server instance:
ANR3114E LDAP error 116 (Failed to connect to ssl server.) occurred during ldap_start_tls_s_np.
ANR3116E LDAP SSL/TLS error 414 (Bad certificate) occurred during ldap_start_tls_s_np.
ANR3103E Failure occurred while initializing LDAP directory services.
ANR2732E Unable to communicate with the external LDAP directory server.
Cause
The LDAP certificate authority (CA) certificate is missing from the cert.kdb file of the IBM Spectrum Protect server instance.
Environment
The issue occurs in an environment in which the CA certificate is required.
Diagnosing The Problem
Use the gsk8capicmd_64 command to list and view the certificate details. The command and the output are similar to the following example:
$ gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
...
! CA_Cert
$ gsk8capicmd_64 -cert -details -label "CA_Cert" -db cert.kdb -stashed
Label : CA_Cert
Key Size : 2048
Version : X509 V3
Serial : ...
In this example, the CA intermediate certificate was missing.
Resolving The Problem
To resolve the problem, you must import the CA root and intermediate certificates to the cert.kdb file of the IBM Spectrum Protect server instance, and then restart the instance. Complete the following steps:
- Download the certificate for the LDAP server by using the openssl command. For example:
openssl s_client -connect ldap-host:636 -showcerts -verify_hostname ldap-host
where ldap-host specifies the fully qualified domain name of the LDAP server.
- Copy the output from the command into a file, ca-cert.crt.
- Import the certificate to the server instance by using the gsk8capicmd_64 command. For example:
$ gsk8capicmd_64 -cert -add -db "cert.kdb" -stashed -label "CA_Cert" -format ascii -file ca-cert.crt -trust enable - Validate the certificate by using the gsk8capicmd_64 command. For example:
$ gsk8capicmd_64 -cert -validate -db cert.kdb -stashed -label CA_Cert
- Restart the IBM Spectrum Protect server instance.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg22015854