When configuring an AD (Active Directory) profile within the Blancco Management Console to use external authentication, if the "Secure Connection" option is selected additional steps are required to allow the authentication to be performed successfully over LDAPS (Lightweight Directory Access Protocol over SSL).

As the Management Console establishes a connection with LDAPS through JSSE (Java Secure Socket Extension) the truststore/keystore being used by the JSSE needs to contain a certificate signed by the CA (Certificate Authority) used to sign the LDAPS certificate. By default the Management Console uses the JRE (Java Runtime Environment) truststore, this truststore is located under <jre_dir>\lib\security and its name is cacerts.

To allow the connection to the LDAPS to be secured the Root CA certificate and Intermediate CA certificate need to be imported to the cacerts truststore, to do this the command-line based keytool which comes with JRE needs to be used. A User manual for Windows is available, and separate one is for Solaris and Unix-based systems covering the use of the keytool. 

To list all the certificates present in the cacerts truststore the following command should be run:

List all stored certificates
keytool -list -keystore "c:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -storepass changeit

Here it is implied that JRE is located under c:\Program Files\Java\jre1.8.0_151 folder, and that password for default truststore is changeit; this password is the default for this truststore and might be changed if necessary.

To import the certificates signed by the CA which issued the certificate for LDAPS, the following command should be executed:

Import certificate to truststore
keytool -importcert -file c:\somecert.cer -keystore "c:\Program Files (x86)\Java\jre7\lib\security\cacerts" -storepass changeit

Following the successful import of the certificates into the truststore the Blancco Management Console service will need to be restarted. Once completed the authentication of AD user accounts over LDAPS will be possible.