If DSCC is asking for a userID/pwd, I think that your server is not registered with the newly created agents. You can check by running dsccreg list-servers --agent and check "flags: column. If value is v6 or n2, you must register your server again with the new agent:
dsccreg remove-server / dsccreg add-server
From DSCC itself, go to Directory Server instance -> Server Operation -> Main tab. Check value of DSCC agent.
Thank you Frank and Carole for your response. The stated issue/error is resolved. It had to do with the upgrade somehow which lead to multiple certs for the same agent. Anyway, I had to delete ADS and all attached Agents, re-create ADS, re-create all Agents and re-register with the new ADS. I then manually re-registered the Directory Server instances on both the Primary and Secondary Servers with the new ADS. Voila, the DSCC Web console no longer prompts for server credentials.
But importing the Wild card cert issue still remains. I added the issuing CA chain to the ldap instance CA store and I see the certs listed. But when I try to import the P12 cert/key combo, I get an error which says something like: "The certificate is already in the database". But it is not, verified using certutil.
Yes internal CA or Self-signed Certs are fine. If I add the internal CA and Root CA to the cert store on my LDAP clients, then I am fine. No SSL errors. But want to avoid using such as we do have quite a few clients which would be connecting to the store. Hence want to use our enterprise wild card Cert. I am not sure if it is an issue importing a wild card pkcs12 format.
As mentioned above I did add the CA chain (which issued the wild card) to the actual instance, not the ADS. I can try that. But are you sure we need to add the Root CA to Tomcat ks.
And while we are at it, the Self-signed certs generated using the Console is only valid for 2 years. Is it possible to change the term ?