Enable ZCC Login Access to the ZLM Server after Expiration of (eDir) LDAP Server SSL Certificate




The administrator is unable to login into the ZCC UI of the installed ZLM Server. This is caused as the LDAP Server’s SSL certificate is expired after two years of ZENworks 7.x Linux Management Server installation. On the ZLM Server's Tomcat log file (Catalina.out) , the error reported like 'java.security.cert.CertificateNotYetValidException' or ZENserver tries to communicate to e-Directory at localhost and port 389 with error like :
LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389

System Environment

ZENworks 7.2 Linux Management Server
ZENworks 7.3 Linux Management Server


Steps to create a new SSL Server Certificate on the existing ZLM Server

Following are the steps to create the SSL Server Certificate for an extended validity period of five years . The default Server certificate for LDAP Server is valid for a period of two years only.

  1. Login to the e-Directory Tree on the ZLM Server by using ConsoleOne tool , Click on the currently configured NDS tree named as ZONE-TREE and then select the System container under the NDS tree.

  • Select and right click on the System container and choose option New and then Object i.e. (System->New->Object) . In the Object dialog box, choose to create the NDSPKI:Key Material object and click on the OK button.

  • In the Next dialog box, give the Certificate name e.g. ZLM_TEST-server-certificate
    and select the Creation method as Custom and then click on Next button. Now, choose the default option Organizational certificate authority and click on the Next button.

  • Choose the desired Key Size default is '2048 bits' (other options are 512 bits, 768 bits, 1024 bits) and choose the Type as 'SSL or TLS' and click on the Next button.

  • Under ‘Specify the certificate parameters’ option , choose the Validity Period as needed, say 5 years ( options available are 6 months, 1 year, 2 years, Maximum, Specify dates) and then Click on the Next button.

  • In the next window, choose the option Your organization's certificate and click on Next button. Finally click on the Finish button to complete the creation steps.

Steps to assign the new SSL Server Certificate to the existing LDAP Server

Following are the steps to assign the new SSL Server Certificate created above to the LDAP server, so that the certificate expiration date is extended by five years on the ZLM Server:

  1. Click on the currently used LDAP Server object present under System container of the ZLM Tree . For example: System->LDAP Server-SLES11-x64.

  • Right click on the LDAP Server object and choose the Properties option. Under the Properties dialog box, select the SSL/TLS Configuration tab.

  • Browse to select the new Server Certificate as created earlier i.e. ZLM_TEST-server-certificate. Finally click OK and Apply button to save the changes during assignment

  • On the ZLM server, restart the zlm services by using zlm-config --restart command and then user is allowed re-login to ZCC.


How To-Best Practice
Comment List