Microsoft is enforcing LDAPS for active directory services.

So we have to configure all ivyEngine user synch connections to use LDAP(S). How can this be done? Simply enabling 'SSL' option doesn't seem to be enough.

We have multiple workflow app on differen ivyEngine (4.3, 5.1, 7.0) versions in use. Is there a generic approach to use that works als in older environments?

asked 29.04.2020 at 05:39

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
accept rate: 77%

edited 29.04.2020 at 06:25

The approach below still works, but there is an update to this question for newer versions of Ivy on our new community page:

The generic approach that should work in any ivyEngine:

1. Set the SSL Debug flag

Set the JVM system property to debug SSL connections .

2. Determine the truststore in use

The truststore that contains the accepted certificats of your engine runtime must be identified. The location differs according to your operating system and ivyEngine version (JVM version). Analyse the Axon.ivy console log and find the log entry exposing your 'truststore' . E.g. ( jre/lib/security/cacerts or jre/lib/security/jssecacerty ) alt text

3. Add Certificates to Truststore

Add all parent certificates of your LDAP(S) server to the truststore using the keytool availalbe in the JRE/lib/bin of the engine being used. Sample:

jre/lib/bin/keytool -importcert -file zugtstdirads.cer -keystore jre/lib/security/cacerts -storepass changeit -alias zugtstdirads

You may use a GUI such as to verify that certificates have been propertly added. But that should just be used for verification. Adding certificates with this tooling may lead to corrupt truststores (and the engine/HTTPS connctor no longer starts correctly).

3.2 Verify, that the issuer of your certificate is in the truststore. In most cases you have to add internal company CA certs that will finally link to a ROOT CA Issuer.

alt text

4. Enable SSL connections

... for your Active Directory security system

  • ivy8: Engine Cockpit -> Security Systems -> YourAd -> Enable 'SSL' + and adjust the URL port (636)
  • ivy 7 an older: Admin UI -> Your App -> Edit Active Directory -> Enable 'SSL' with the checkbox.

alt text

5. Trigger the synchronization

If the connection is not working: check the Axon.ivy console.log for SSL debug output. In most cases a certificate in the chain is missing.

As a first step: Verify that your added certificates appear in the list of trusted certs: alt text

See point 3.2 to analyze the cert-chain.

NOTE: At the end, do not forget tor remove the entry from the configuration file once everything is OK, and then to restart the engine, otherwise you will encounter performance problems.


answered 29.04.2020 at 05:48

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
accept rate: 70%

edited 17.02 at 06:59

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 29.04.2020 at 05:39

Seen: 1,108 times

Last updated: 17.02 at 06:59