When configuring an AD (Active Directory) profile within the Blancco Management Console to use external authentication, if the "Secure Connection" option is selected additional steps are required to allow the authentication to be performed successfully over LDAPS (Lightweight Directory Access Protocol over SSL).
As the Management Console establishes a connection with LDAPS through JSSE (Java Secure Socket Extension) the truststore/keystore being used by the JSSE needs to contain a certificate signed by the CA (Certificate Authority) used to sign the LDAPS certificate. By default the Management Console uses the JRE (Java Runtime Environment) truststore, this truststore is located under
<jre_dir>\lib\security and it's name is cacerts.
To allow the connection to the LDAPS to be secured the CA signed certificate needs to be imported to the cacerts truststore, to do this the command-line based keytool which comes with JRE needs to be used. A User manual for Windows is available, and separate one is for Solaris and Unix-based systems covering the use of the the keytool.
To list all the certificates present in the cacerts truststore the following command should be run:
keytool -list -keystore
Here it is implied that JRE is located under
c:\Program Files\Java\jre1.8.0_151 folder, and that password for default truststore is
changeit; this password is default for this truststore and might be changed if necessary.
To import the certificate signed by the CA which issued the certificate for LDAPS, the following command should be executed:
keytool -importcert -file c:\somecert.cer -keystore
"c:\Program Files (x86)\Java\jre7\lib\security\cacerts"
Following the successful import of the certificate into the truststore the Blancco Management Console service will need to be restarted. Once completed the authentication of AD user accounts over LDAPS will be possible.