Version 9.2.0 and later
Add the LDAP server certificate (or its root certificate) to the ivy truststore which is by default located in
configuration/truststore.p12. Follow steps 3 to 5 below.
Allow the the Ivy Engine to connect to the LDAP server without verifying the server certificates
- Change the LDAP server URL to the LDAPS one.
- Enable the SSL connection
- Enable insecure SSL connections
Note: This approach allows for man-in-the-middle attacks and is only thought for special environments like development, test and where man-in-the-middle attacks are not possible without a major breach. Always prefer the first solution as it is the more secure one.
Version up to 9.1.1
The generic approach that should work in any Ivy Engine:
1. Set the SSL Debug flag
Set the JVM system property
-Djavax.net.debug=all to debug SSL connections (see https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html).
Then change the log level of the ConsoleAppender to level DEBUG (file
2. Determine the truststore in use
The truststore containing the accepted certificates of your engine runtime must be identified. The location differs according to your operating system and Ivy Engine version (JVM version). Analyze the Axon.ivy console log and find the log entry exposing your 'truststore' . E.g. (
jre/lib/security/cacerts or jre/lib/security/jssecacerty or
3. Add Certificates to Truststore
Add all parent certificates of your LDAP(S) server to the truststore using the
keytool available in the
<JRE>/lib/bin of the engine being used. Sample:
jre/lib/bin/keytool -importcert -file zugtstdirads.cer -keystore jre/lib/security/cacerts -storepass changeit -alias zugtstdirads
You may use a GUI such as https://keystore-explorer.org/ to verify that certificates have been properly added. But that should just be used for verification. Adding certificates with this tool may lead to corrupt truststores (and the engine/HTTPS connector no longer starts correctly).
3.1 Verify, that the issuer of your certificate is in the truststore. In most cases you have to add internal company CA certs that will finally link to a ROOT CA Issuer.
4. Enable SSL connections
... for your Active Directory security system
- ivy8: Engine Cockpit -> Security Systems -> YourAd -> Enable 'SSL' + and adjust the URL port (636)
- ivy 7 an older: Admin UI -> Your App -> Edit Active Directory -> Enable 'SSL' with the checkbox.
5. Trigger the synchronization
If the connection is not working: check the Axon.ivy console.log for SSL debug output. In most cases a certificate in the chain is missing.
As a first step: Verify that your added certificates appear in the list of trusted certs:
See point 3.1 to analyze the cert-chain.