I would like to configure secure LDAP connection, but when SSL is checked, I get:
Test unsuccessful for ldap: dc01.<domain> Reason: Certificate is missing or invalid. Importing CA certificate may resolve the issue.
Test unsuccessful for ldap: dc02.<domain> Reason: Certificate is missing or invalid. Importing CA certificate may resolve the issue.
Test unsuccessful for ldap: dc03.<domain> Host Unreachable. Reason: SocketTimeoutException: connect timed out
LDAP without SSL is working.
In manual is said: You do not need to install the SSL/TLS certificate. Instead, vRealize Operations prompts you to view and verify the thumbprint, and accept the LDAP server certificate - but this never happens
I have configured HTTPS and hoped when root certificate from signed CA will be in keystore it will help, but issue is still persistent. I have not found any way I could import CA certificate using GUI or in SSH session. Can you please advice how to forwards.
I believe this issue is related to the Domain Controllers not having the proper LDAPs configuration set and the dc03 is actually failing to connect. You need to check that your certificate includes the domain controllers in it.
Please follow the below articles, I hope this will help. Thanks.
Note: I have recently started my blogs please review and give your feedback so that I can improve
issue is when auto is used for host, if I chose server from dropdown it is offer me to accept cert. But with manual selection you are connected to only one DC, what happens if this DC does not work? How can it connect to second DC, do I need to add additional source? Why does it needs server cert and not root cert, which has longer life time? What happens when server cert expires?
It does not work for dc3 - will need to review, but whole concept is strange, based on the last post I wrote.
As mentioned before by @ramajay12345, follow the steps here: https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-5B5BC860-128C-4A87-...
If you check on Step 10, it mentions importing the SSL Certificate, and that the PEM certificate can be modified to have not only the ROOT but each of the DCs. Essentially if you are load-balancing LDAPs authentication it should work automatically.
Do you have the .pem CA chain certs that vrops and the dc use imported into certificates? That way it will auto-accept certs when the dc changes or any other adapters that use the same chain.
E.g. vROps has cluster cert of https://vrops.local.net
local.net CA chain:
Import root, intermediate and issuing CA .pem certs.
- Apologies for the delay in response.
- Based on my experience we can add a DC and if the DC is not working then we need to manually update the new DC details, accept the thumbprint and save.
- Suggestion: - I would suggest enable VIDM authentication.
Once you accept the thumbprint automatically the Certificate will appear in /Administration/Certificates section.
We don't need to import the certificate manually.