ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

What is the certificate which gets automatically loaded when we switch Open LDAP from Protocol LDAP to LDAPS in CA PAM ?

book

Article ID: 213717

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

In Credential Management in CA PAM, it is possible to create Target Connectors of type Open LDAP

For an Open LDAP connector, it is possible to use Protocol LDAP or LDAPS (SSL)

When a target application is switched from LDAP to LDAPS, there is a new field in the Target Application definition for a Base 64 encoded X.509 certificate.

That certificate is automatically populated by PAM and it is not possible to choose it. Trying to use a custom certificate results subsequently in error

PAM-CM-4060: CA LDAP Server not found on this device/port

when trying to carry out operations which require LDAPS connection to Open LDAP

This article explains what that default certificate is and why it is needed

Environment

CA PAM 3.3.X and 3.4.X

Resolution

Any SSL communication with an LDAP server (Open LDAP, Active Directory, Oracle LDAP...) requires for a certificate to be present at the LDAP server in order to properly encrypt communications.

This certificate must be also present at the LDAP client so that it can properly trust the LDAP server. In Active Directory this certificate is automatically exchanged with any client performing operations against a Domain Controller.

The default certificate populated in the Base 64 encoded X.509 certificate field corresponds to the certificate of the Open LDAP server. If it is replaced by any other certificate there will be a mismatch between the certificate accepted by the PAM application and the certificate present at the LDAPS server, thus causing the error to appear.

If you need to know the contents of the certificate exchanged, paste the Base 64 encoded X.509 server presented at the target application into a text file and call it a name with a cer extension (e.g. mycertificate.cer). Double clicking on it in Windows or using the usual openssl command will allow you to see its contents and verify it corresponds to the right Open LDAP server.