I actually wrote a batch script to help get this right for me in our company, as it was multiple steps with so many things that could go wrong. As of today, this only works for Ignition 7.9.
First, if you are still using LDAP for authentication and users are currently logging in, you should stop ASAP. You are exposing their credentials in clear text (just Wireshark the traffic and you will see it).
As others have pointed out, there is not a lot of feedback for not getting LDAPS to work. Here are a few tips I can give. First, ensure you change the ports from 336 to 636 and turning on SSL. Second, the AD server may not allow anonymous connections, so entering account credentials into Ignition is important - double check that these are correct. You might ask your IT department to give you an account that doesn’t expire like most other ones. You will get error messages in the gateway logs if it’s not correct. Third, and the most difficult part, was understanding when Java was having an issue connecting securely to your AD server. This information is not logged in Ignition and not much of anywhere. You must get the domain’s Root CA added to the Java Keystore (not the Ignition keystore - this is for securing the gateway webpage and client connections), as when it connects to it, it attempts to validate the certificate and is likely not one that is added by default (and Java doesn’t trust the connection, so it disconnects without doing anything). In our company, we utilize Microsoft Active Directory Certificate Services to generate certificates for our internal servers. This step may be difficult for many companies that have their own Root CA stood up.
If you are in this case, instruct their IT group to go to the AD Certificate Services website (servername.domain/certsrv/).
- Select the task, Download a CA Certicate, certificate chain, or CRL
- Then select the most current CA certificate.
- Choose DER or Base 64 encoding. (NOTE: I’ve used Base 64 without a problem)
- Choose Download CA Certificate
You will need to get this certificate to the Gateway machine. For Ignition 7.9, you will require the use of the Java keytool to install it. In my batch script, I detect 32/64 bit as well as Java version, but the tool will be in the \bin\keytool.exe of the Java path on the system, something like C:\Program Files\Java\jre1.8.0_181 and the Java Keystore is stored in \lib\security\ as the cacerts file.
The command to add the Certificate is:
keytool.exe -importcert -noprompt -trustcacerts -alias domain -file <filepath to generated Root CA> -keystore <filepath to java keystore> -storepass <password for java keystore - default is ‘changeit’ >