1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Appliance Services
  3. Configuring Services
  4. LDAP Configuration
  5. Configuring LDAP Server Certificates

Configuring LDAP Server Certificates

An LDAP server's certificate can be CA-signed or self-signed. This section describes how to initially configure certificates and how to manage a new certificate when the previous certificate expires.

Initially Configuring LDAP Server Certificates

For more information about trusted certificates, see the sections about trusted certificates in Configuring Certificates.

You can supply a list of trusted CA certificates. LDAP server certificates issued by those trusted CAs do not require special management.

If an LDAP server's certificate is not issued by a trusted CA, whether the certificate is issued by a CA or is self-signed, you will be asked to review and approve the certificate. The Accept LDAP Server Certificate dialog box displays information about the certificate and requests that you accept or reject the certificate. If you accept the certificate, that certificate is added to the list of trusted certificates.

Managing Expired and New LDAP Server Certificates

If you individually accepted a certificate, either a CA-signed certificate or a self-signed certificate, then when the LDAP server's certificate expires, you must approve the new certificate. Select the server, test the connection, and examine and approve the new certificate. See Approving a New LDAP Server Certificate - BUI, CLI.

If you supply CA certificates, changes in the individual server certificates are handled automatically. When your server changes CA certificates, ensure that the new CA certificate is added to the appliance before your LDAP server starts using it. If the server starts using the new CA certificate before you add it to the appliance, your LDAP service will be interrupted.

Approving a New LDAP Server Certificate (BUI)

Use this procedure to accept a new certificate after the previous certificate expired.

Before You Begin

TLS must be enabled. Make sure the Enable SSL/TLS box is checked.

  1. From the Configuration menu, select Services.
  2. Under Directory Services, select LDAP.

    On the Properties tab, scroll to the LDAP Servers section of the page.

  3. In the table, click the edit icon image showing the edit icon for the server that has the new certificate.
  4. Click the Test Connection button in the Edit LDAP Server dialog box to test the TLS connection.

    A new dialog reports whether the new certificate is trusted.

  5. Click OK in the trusted certificate dialog box.

    If the trusted certificate dialog box reported the certificate is not trusted, the Accept LDAP Server Certificate dialog box opens. This dialog box displays information about the certificate, and has Reject and Accept buttons.

  6. Review the certificate information, and click Accept.

    The certificate is added to the list of trusted certificates.

Related Topics

Viewing Trusted Certificate Details (BUI)

Approving a New LDAP Server Certificate (CLI)

Use this procedure to accept a new certificate after the previous certificate expired.

Before You Begin

TLS must be enabled. Make sure the use_tls property is set to true.

  1. Go to configuration services ldap.
  2. Enter the list command to show the list of LDAP servers.
  3. Select a server.
  4. Enter the test command to test the TLS connection.

    Information about the new certificate is displayed.

  5. Examine and approve the new certificate.

    The certificate is added to the list of trusted certificates. If you enter the test command again, the message Certificate is trusted is displayed.

Related Topics

Viewing Trusted Certificate Details (CLI)