Forum Stats

  • 3,852,516 Users
  • 2,264,111 Discussions


LDAP Directory SSL Certificate renewal Process reg.

Hi, All

Our corporate LDAP directory ( using Secure Socket Layer (SSL) will be renewed on 15th December 2013.

As per the client’s request we need to install New VeriSign root certificate, in addition to Current Existing VeriSign Root certificate. And we should make your changes without production impact.

Each pre-production Corporate LDAP environment has certificates which were issued using the NEW Verisign root certificate.

We need to perform validation testing against one of the following environments:




Kindly suggest how to accomplish this task?? As I am new to admin tasks.

They provided the links for:

1. Location of NEW root CA certificate

2. Location of CURRENT root CA certificate (currently in use by production LDAP)

After downloading the certificates in to the below path what exactly I need to do with these cacerts??

Certificate path: into HYPERION_HOME/common/JRE/Sun/1.5.0/lib/security/cacerts.

As per the SSL Configuration Guide I found below information. Kindly suggest:

1. If the CA root certificate you are using is not from a default trusted third-party CA, import the CA root

certificate into HYPERION_HOME/common/JRE/Sun/1.5.0/lib/security/cacerts.

2. Optional: If EPM System products are deployed on a 64–bit operating system, import the CA certificate

into HYPERION_HOME/common/JRE-64/Sun/1.5.0/lib/Security/cacerts.

3. SSL-enable user directory connections.

a. Obtain the CA root certificate for your LDAP-enabled user directory.

b. If the CA root certificate you are using is not from a default trusted third-party CA,

import the CA root certificate into the cacerts of the JVM. cacerts is in the /lib/

security directory within the JRE install directory.

“You can use different keystores for inbound and outbound requests. LDAPS is an

outbound request from the application server; HTTPS is an inbound request”

Caution! When Oracle's EPM System applications are installed and deployed on

multiple servers, if the root CA certificate is not from a trusted third-party

CA, you must load the CA root certificate into all of the JREs that are used

by EPM System products.

Note: All servers must be set up to open SSL connections when they are acting as SSL clients.

For example, Planning Web application should open SSL connection to the user

directory server.

4 .Restart Shared Services.

5. Log on to Oracle's Hyperion® Shared Services Console as Shared Services Administrator. Connect using

the secure URL https://host:SSL-port/interop/index.jsp; for example, https://




This discussion has been closed.