After upgrading from version 12.8SP1 to SP4, the Policy Server fails to connect to LDAP User Store via SSL. The Policy Server returns this error message:

[SmDsLdapConnMgr.cpp:917][ERROR][sm-Ldap-01370] SmDsLdapConnMgr Bind. Server ldapserver.example.com : 636. Error 81-Can't contact LDAP server

When reverting the Policy Server to old version, the connection works again.

There was no change to the certificate on the LDAP servers.

Policy Server 12.8SP04

The cert8.db was generated using the older version of the Policy Server and is no longer compatible with the NSS library bundled with the Policy Server version 12.8SP4.

-------------------
certutil -L -d .
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
-------------------

Create a new cert8.db using the certutil that comes with the Policy Server version 12.8SP4 (1).

Launch the smconsole and point it to the new cert8.db and restart the Policy Server.

1. How to generate cert8.db and import CA certificates.
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/configure-policy-server-data-storage-options/configure-an-ssl-connection-to-an-ldap-data-store.html