LDAPVerifyServerSSLCert

Delegates the verification of the SSL certificate to TM1®. This parameter is useful, for example, when you are using LDAP with a proxy server.

Parameter type: optional, static

Note: Before working with this parameter, you should be familiar with SSL and LDAP.

Typically, TM1 leverages the Microsoft Windows API to verify SSL certificates. For this process to succeed, the certificate name and the LDAP server host name must match. If you are using a proxy, however, these names may not match, causing the verification to fail. In this case, you can set LDAPVerifyServerSSLCert=T to have TM1 perform the certificate verification.

When LDAPVerifyServerSSLCert=T, TM1 performs the two steps of verification (verifying the trust relationship to the certificate and checking the CRL) like the Windows API would have done, but with a slightly different approach.
  1. Instead of verifying the received certificate against the configured host name, TM1 looks at the list of server names specified by LDAPVerifyCertServerName.
  2. If the certificate name matches one of the servers specified by LDAPVerifyCertServerName, TM1 calls the Microsoft Windows API and requests it to verify this single certificate only.
    Note: The correct trusted root certificate authority (CA) must already have been imported to the Microsoft Windows Certificate Store.

    You can skip the trust verification step by specifying LDAPSkipSSLCertVerification=T. In this case, TM1 does not verify the server certificate at all but simply accepts it.

  3. Once the trust verification is confirmed (or skipped), TM1 calls the Microsoft Windows API to check the CRL.
    Note: The CRL certificate for the trusted root must already have been imported to the Microsoft Windows Certificate Store.

    If the CRL certificate does not exist in the Microsoft Windows Certificate Store, the process will fail. You can skip the CRL step by specifying LDAPSkipSSLCRLVerification=T.

  4. If all the previous steps finish successfully, the SSL handshake is complete. TM1 now attempts to authenticate to the LDAP server.

For troubleshooting information, see Troubleshooting LDAP authentication.