Importing an LDAP certificate with non-mutual authentication

To authenticate an LDAP server with the CMM, you must import either the certificate of the LDAP server or the certificate of the Certificate Authority (CA) which signed the LDAP server certificate. The process for importing either an LDAP server certificate or the certificate of the CA with non-mutual authentication is the same.

Import a certificate by using non-mutual external authentication when you only have to authenticate the LDAP server with the CMM. You can authenticate the LDAP server with the CMM using the CMM management interface.
Note: Certificates must be signed using SHA-1 hashes, SHA-2 hashes are not supported.

To import an LDAP certificate or a CA, by using non-mutual authentication, complete the following steps:

  1. Obtain the external LDAP certificate or CA and place it on the server that will be used to import it. Depending on your CMM configuration, supported server types can include TFTP, FTP, HTTP, HTTPS, and SFTP.
  2. Start a CMM management session:
    • To start the CMM web interface, see Starting the web interface for instructions.
    • To start a CMM CLI session, see Starting the command-line interface for instructions.
      Note: For the CLI, the sslcfg command must be targeted to the primary CMM. The following example assumes that the command environment has been set to the primary CMM through the env command (see env command for information about command use). If the command environment has not been set to the primary CMM, you can direct the command to the primary CMM by using the -T mm[p] option, (see Command targets for information).
  3. Import the external LDAP certificate or CA into the CMM:
    • In the CMM web interface, click Mgt Module Management > Security > LDAP Client Security > Generate and Import Externally Signed LDAP Client Certificate. In the Generate and Import Externally Signed LDAP Client and intermediate Certificate window, select either the option to import the certificate file or paste the certificate information in PEM format, then click Save and Install.
    • In the CLI, import the external LDAP certificate or CA into the CMM by using the sslcfg command (see sslcfg command for additional information about command use):
      sslcfg -tc1 import -u file_location_on_server
      • -tc1 indicates trusted certificate 1. -tc2 or -tc3 can also be used to specify trusted certificates 2 and 3.
      • file_location_on_server is a fully qualified location that specifies the server type, the IPv4 or IPv6 IP address of the server, and a valid file name of the certificate file, of up to 256 characters and containing any character except the percent sign ( % ) or double quotation mark ( " ). The forward slash ( / ) can be used only as part of the path name, not as part of the file name.
      Note: For information about how to specify a URL for file transfer, see Specifying a URL for file transfer.