How to migrate Active Directory connection to LDAP(S) / SSL

The approach below still works, but there is an update to this question for newer versions of Ivy on our new community page:

https://community.axonivy.com/d/58-how-to-migrate-active-directory-connection-to-ldaps-ssl

The generic approach that should work in any ivyEngine:

1. Set the SSL Debug flag

Set the JVM system property -Djavax.net.debug=all to debug SSL connections . https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

• ivy8: use the configuration/jvm.options file to set the JVM property: https://dev.axonivy.com/doc/8.0/engine-guide/configuration/files/jvm-options.html?highlight=jvm%20options
• ivy7 and older: setup a configuration/*.ILC file that matches your binary being used to start the engine. https://dev.axonivy.com/doc/7.0/EngineGuideHtml/misc.html#misc-toolreference-ilc
  • 7.0 ILC example: sets the JMV property for the 'AxonIvyEngineC.exe' (other binaries will not have the property set)

2. Determine the truststore in use

The truststore that contains the accepted certificats of your engine runtime must be identified. The location differs according to your operating system and ivyEngine version (JVM version). Analyse the Axon.ivy console log and find the log entry exposing your 'truststore' . E.g. ( jre/lib/security/cacerts or jre/lib/security/jssecacerty )

3. Add Certificates to Truststore

Add all parent certificates of your LDAP(S) server to the truststore using the keytool availalbe in the JRE/lib/bin of the engine being used. Sample:

jre/lib/bin/keytool -importcert -file zugtstdirads.cer -keystore jre/lib/security/cacerts -storepass changeit -alias zugtstdirads

You may use a GUI such as https://keystore-explorer.org/ to verify that certificates have been propertly added. But that should just be used for verification. Adding certificates with this tooling may lead to corrupt truststores (and the engine/HTTPS connctor no longer starts correctly).

3.2 Verify, that the issuer of your certificate is in the truststore. In most cases you have to add internal company CA certs that will finally link to a ROOT CA Issuer.

4. Enable SSL connections

... for your Active Directory security system

• ivy8: Engine Cockpit -> Security Systems -> YourAd -> Enable 'SSL' + and adjust the URL port (636)
• ivy 7 an older: Admin UI -> Your App -> Edit Active Directory -> Enable 'SSL' with the checkbox.

5. Trigger the synchronization

If the connection is not working: check the Axon.ivy console.log for SSL debug output. In most cases a certificate in the chain is missing.

As a first step: Verify that your added certificates appear in the list of trusted certs:

See point 3.2 to analyze the cert-chain.

NOTE: At the end, do not forget tor remove the -Djavax.net.debug=all entry from the configuration file once everything is OK, and then to restart the engine, otherwise you will encounter performance problems.