After upgrading to SCM 12.6 and putting the SSL Certificate out to the site, we are unable to access LDPA info from the SCM server.
Redhat Linux 6 Broker.
The SSL Certificates were not correct. The cert that we were trying to use was not enough. It required a Certificate chain for the tlstrcert option in hauthtst. The certificate that was generated was certchain.pem. It included the root and subordinate keys from the LDAP server. A privet key was also required.
1. Step One: The initial verification of the Certificates should be done outside the Harvest command set as follows.
openssl s_client -CApath <path to certificate> -CAfile "<certificate file name>" -connect <Ldap server fully qualified>:<Ldap port, std=636>
You must see "verify return:1" in the top returned message.
2. Step Two: After successful openssl verification you must move to hauthtst command to verify on the Harvest side as follows:
hauthtst -authmode=openldap "username of the testing user" -ldapmode=SSL -ldapport=636 -ldapserver=<where the LDAP Server is located> -ldapbasedn="<As defined by the LDAP Administrator>" -ldapbinddn="<As defined by the LDAP Administrator>" -ldapbindpw="********" -ldapfilter="<As defined by the LDAP Administrator>" -ldapattrusrname=<As defined by the LDAP Administrator> -tlskeyfile="<As defined by the LDAP Administrator>" -tlstrcertfile="<path and name of file generated in step one>" -ldapdebuglevel=-1
3. Step Three: After successful connection, create a dfo file using the userid and password in the previous command. Replace option -ldapbindpw="****** with -ldapbindpwfile="<encripted password file name>". Run the hauthtst command again.
4. Step Four: When successful populate the HServer.arg file with the options in the previous command. Leave out -ldapdebuglevel=-1.
You should be ready to start the Broker process and verify the Hservers start properly. Verify that Workbench can login to the broker.
More information is available in the Harvest Implementation Guide, Chapter 15.