LDAPVerifyServerSSLCert

Delegates the verification of the SSL certificate to Planning Analytics. This parameter is useful, for example, when you are using LDAP with a proxy server.

This parameter is not applicable to Planning Analytics Engine.

Parameter type: optional, static

Note: Before working with this parameter, you should be familiar with SSL and LDAP.

Typically, Planning Analytics leverages the Microsoft Windows API to verify SSL certificates. For this process to succeed, the certificate name and the LDAP server host name must match. If you are using a proxy, however, these names may not match, causing the verification to fail. In this case, you can set LDAPVerifyServerSSLCert=T to havePlanning Analytics perform the certificate verification.

When LDAPVerifyServerSSLCert=T, Planning Analytics performs the two steps of verification (verifying the trust relationship to the certificate and checking the CRL) like the Windows API would have done, but with a slightly different approach.
  1. Instead of verifying the received certificate against the configured host name,Planning Analytics looks at the list of server names specified by LDAPVerifyCertServerName.
  2. If the certificate name matches one of the servers specified by LDAPVerifyCertServerName, Planning Analytics calls the Microsoft Windows API and requests it to verify this single certificate only.
    Note: The correct trusted root certificate authority (CA) must already have been imported to the Microsoft Windows Certificate Store.

    You can skip the trust verification step by specifying LDAPSkipSSLCertVerification=T. In this case, Planning Analytics does not verify the server certificate at all but simply accepts it.

  3. Once the trust verification is confirmed (or skipped), Planning Analytics calls the Microsoft Windows API to check the CRL.
    Note: The CRL certificate for the trusted root must already have been imported to the Microsoft Windows Certificate Store.

    If the CRL certificate does not exist in the Microsoft Windows Certificate Store, the process will fail. You can skip the CRL step by specifying LDAPSkipSSLCRLVerification=T.

  4. If all the previous steps finish successfully, the SSL handshake is complete. Planning Analytics now attempts to authenticate to the LDAP server.