Installed APM Introscope 10.8 HF7 on Windows 2022 servers for a project to get all Windows server off of 2019 and below.  Current environment is APM Introscope 10.8 SP1 on Windows 2019 which binds to LDAP over port 636.  Current version does not have useSSL turned on nor does it use ldaps:// but it does bind.

I have tried several configuration variations without success.

I have added a sever certificate and issuing certificate to the keystore (\config\internal\server\). Then I tried adding the the root certificate, but no luck.

DEBUG 7480 --- [qtp2006109026-276] Manager.UserManagementService : Unable to find user "<user>" because simple bind failed: <ldap host>:<ldap port>
javax.naming.CommunicationException: simple bind failed: <ldap host>:<ldap port>
    at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
    at java.naming/com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
    at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

It means that the trust store does not contain the appropriate certificate.  The Jetty configuration specifies the key store but it is keeping the trust store unchanged. 

To remedy this:

Import the "CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE" certificate---the root CA certificate for their server certificate---into the config/internal/server/keystore so that it can be used to trust certificates sent by other parts of the cluster.

This root CA is part of the JRE that is shipped with EM, so they can export if from jre/lib/security/cacerts with

"keytool -exportcert -v -alias addtrustexternalca -file addtrustexternalca.crt -keystore cacerts -storepass changeit"

and then import it into config/internal/server/keystore with

"keytool -importcert -v -trustcacerts -alias addtrustexternalca -storepass password -keystore keystore -file addtrustexternalca.crt".