Updating an LDAP certificate in a High Availability environment by using REST Administration APIs

System administrators can update a certificate on the primary and standby nodes by using REST Administration APIs.

In an environment that is configured for High Availability, you must ensure that the new certificate that you upload on the primary server is correctly replicated on the standby server. In this scenario, server 1 is the primary server and server 2 is the standby.

You can import a certificate for an LDAP connection by using REST Administration APIs, or by using the Amlen WebUI. When you use the Amlen WebUI, importing the certificate is part of creating an external LDAP connection. For more information about using the Amlen WebUI to import the certificate, see Configuring an LDAP server by using the Amlen WebUI.

After the certificate is applied, it is automatically renamed to ldap.pem.

  1. On server 1, import the certificate to Eclipse Amlen by using the Eclipse Amlen REST API PUT method with the following Eclipse Amlen configuration URI:

    curl -X PUT -T <FilePath and FileName> http://<admin-endpoint:port>/ima/v1/file/<FileName>

  2. On server 1, apply the certificate to the LDAP connection by using the Eclipse Amlen REST API POST method.
    1. Use the following Eclipse Amlen configuration URI:

      http://<admin-endpoint-IP:Port>/ima/v1/configuration/

    2. Provide object configuration data in the payload of the POST method by using the following schema. Content-type is set to application/json: 
      
{    
  "LDAP": {
    "Certificate>": "string",
    "Overwrite": true|false 
   }
}
      Where:
      • Certificate
        Specifies the name of the certificate that was imported in step 1.
      • Overwrite: true|false
        Optional.
        Specifies whether any existing LDAP connection certificate is overwritten.
        The default value is false.

      New LDAP settings will be used the next time a client or connection is authenticated or authorized.

  3. On server 2, stop the Eclipse Amlen server process by using the Eclipse Amlen REST API POST method with the following Eclipse Amlen service URI:

    http://<admin-endpoint-IP:port>/ima/v1/service/stop

    and wait for the server to stop.

  4. On server 2, start the Eclipse Amlen server process by using the Eclipse Amlen REST API POST method with the following Eclipse Amlen service URI:

    http://<admin-endpoint-IP:port>/ima/v1/service/start

    and wait for the synchronization to complete.

  5. On server 1, stop the Eclipse Amlen server process by using the Eclipse Amlen REST API POST method with the following Eclipse Amlen service URI:

    http://<admin-endpoint-IP:port>/ima/v1/service/stop

    and wait for the server 1 to stop.

  6. On server 1, start the Eclipse Amlen server process by using the Eclipse Amlen REST API POST method with the following Eclipse Amlen service URI:

    http://<admin-endpoint-IP:port>/ima/v1/service/start

    and wait for the synchronization to complete.

    After steps 1 through 6 are completed, server 2 is now the primary server, and both servers have the new LDAP certificate applied and ready for use. New LDAP settings are used the next time a client or connection is authenticated or authorized.

    You can optionally swap server 1 back as the primary server by completing the following steps:

  7. Optional: On server 2, stop the Eclipse Amlen server process by using the Eclipse Amlen REST API POST method with the following Eclipse Amlen service URI:

    http://<admin-endpoint-IP:port>/ima/v1/service/stop

    and wait for the server to stop.

  8. Optional: On server 2, start the Eclipse Amlen server process by using the Eclipse Amlen REST API POST method with the following Eclipse Amlen service URI:

    http://<admin-endpoint-IP:port>/ima/v1/service/start

    and wait for the synchronization to complete.

The following commands are entered on the original primary server. The example shows importing a file called ldap.pem from the local machine to a staging directory and applying the LDAP certificate on a primary server: 

curl -X PUT -T /certificates/ldap.pem http://127.0.0.1:9089/ima/v1/file/ldap.pem
An example response to the PUT method:

       {        
         "Version": "v1",
         "Code": "CWLNA6011",
         "Message": "The requested configuration change has completed successfully."
       }
The following example applies the certificate to the LDAP connection by using cURL:

curl -X POST \
   -H 'Content-Type: application/json'  \
   -d  '{
          "LDAP": {   
           "Certificate": "ldap.pem",
           "Overwrite": true          
        }
      }
      '  \
http://127.0.0.1:9089/ima/v1/configuration/
An example response to the POST method:

{        
  "Version": "v1",
  "Code": "CWLNA6011",
  "Message": "The requested configuration change has completed successfully."
}
After you import and apply the LDAP certificate, you can create the LDAP connection. For more information about creating the LDAP connection by using REST Administration APIs, see Configuring an LDAP connection by using REST Administration APIs.