On 12/19/2017 07:14 AM, frankabhinav wrote:
>
> After diagnosis, we found that driver trying to connect with PUM on 443
> but without SSL.


The documentation states that HTTPS is the only mechanism used, so it
would seem that IDM is at least trying TLS/SSL, though a LAN trace to
verify that would be nice.

https://www.netiq.com/documentation/...s.html#bueow4x

Also having the trace from the shim (Remote Loader (RL) usually) may help
us see exactly what is going wrong; the shim has levels up to five (5) so
going up that high may get us something useful.

> Can you please help me to identify the followings
> - Which SSL cert to import in driver from PUM server?
> - Which connection parameter to be used to specify the imported
> certificate file?
> - Where to import SSL cert from PUM server?


Maybe you have already grabbed IDM traces, or LAN/wire traces, and that is
why you think there is a TLS/SSL trust issue. If that is the case, some
driver configs have places where you can point to a PEM or truststore
object specific to that particular shim, which is nice, but I do not see
that in the documentation here. Instead you can import the Certificate
Authority (CA) certificate for the PAM/PUM system into the 'cacerts' file
(default JRE truststore) used by IDM. This exists at
/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts by
default, and as its path my imply this is owned by the IDM packages, so
anytime you upgrade the engine or RL you will need to be sure your
certificate is still in there.

It is typically best to import CA certificates, but I do not know if your
PAM/PUM system actually has a valid CA, or if it is just using a
self-signed certificate for its HTTPS connection. If so, that self-signed
certificate could be used too, though that means anytime you change that
out for anything else you will break the driver's connection, so be sure
you are ready to import the appropriate CA to the IDM side whenever you do
that.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.