Original Message:
Sent: 03-25-2026 11:47
From: sun kim
Subject: LDAP over SSL
We use Public CAs now, we don't use internally self-signed certificates. Our server admin usually handles stuff like this, but from my notes I want to say WebSphere is one layer for the certs and Maximo uses a different store based on the Java JDK . You need to get a copy of the Windows AD cert (self_signed_ad_cert.cer), and import that into java cacerts file on for the Java Maximo is using.
I think the SystemOut.log will say what path you're using for Java, or if you go to Task Manager in Windows, look for java.exe using the most memory and open file location to see the path.
The file cacert file something in a location like this: C:\IBM\WebSphere\AppServer\java\8.0\jre\lib\security\
Backup the cacerts file before changing it (just in case)
Use the keytool, to import the self_signed.cert
keytool -import -trustcacerts -alias myInternalAD -file "C:\path\to\self_signed_ad_cert.cer" -keystore cacerts
If successful, you restart MXServer.
This is really not my area,
------------------------------
sun kim
Original Message:
Sent: 03-24-2026 01:59
From: Sergey Melnikov
Subject: LDAP over SSL
Sun Kim, good afternoon!
Thank you for your time!
I attached two screenshots to my previous message; I even went to look at them again.
I have everything as you described: ports 636 and 3269. I dug deeper into the logs, and as far as I can tell, Maximo doesn't trust the AD server certificate since it's located within the local network and is itself an internal CA.
I don't know what to do about this yet, and I don't understand why IBM Websphere isn't having any problems?
------------------------------
Sergey Melnikov
RusNet
Original Message:
Sent: 03-23-2026 15:17
From: sun kim
Subject: LDAP over SSL
System Configuration > Platform Configuration > Cron Task Setup
This parameter should 9th option. Change from port 3268 to 3269.
Steve already posted the URL, but worth repeating:
https://www.ibm.com/support/pages/authentication-error-when-running-ldapsync
https://web.archive.org/web/20260323191556/https://www.ibm.com/support/pages/authentication-error-when-running-ldapsync
To resolve this problem, the following attributes need to be set to the correct values in the Cron Task Cron Task Setup Application for LDAPSYNC task:
Port -- 636
SSLEnabled -- true
SynchParmater -- globalcatalogport=3269
After making the above changes, you will need to reload the cron task and review the systemout.log to confirm the error is not seen.
Following are the combination for the Port and globalcatalogport settings:
If using SSL:
SSLEnabled: true (not 1)
Port: 636
Catalog Port :3269
If Not using SSL:
SSLEnabled: False (not 0)
Port: 389
Catalog Port: 3268
------------------------------
sun kim
Original Message:
Sent: 03-23-2026 13:04
From: Sergey Melnikov
Subject: LDAP over SSL
Сун Ким, доброго дня!
Большое спасибо за совет; я только сегодня добрался до форума.
Мне наконец-то удалось настроить IBM Websphere для использования SSL на порту 636. Для тестирования я создал нового пользователя в Active Directory, и он был добавлен в IBM Websphere.
После этого я попытался настроить IBM Maximo, но был разочарован этой ошибкой.
[ERROR] [MAXIMO] [CID-CRON-10325] BMXAA6765E - Не удалось запустить задачу cron LdapSyncCronTask. Это сообщение будет повторяться, если инициализация завершится неудачей при повторном запуске задачи. См. соответствующее сообщение.
psdi.security.ldap.LdapSyncException: BMXAA6774W - Атрибут rootDSE для имени атрибута highestCommittedUSN не найден.
Буду очень благодарен за любой совет.
------------------------------
Sergey Melnikov
RusNet
Original Message:
Sent: 03-16-2026 11:05
From: sun kim
Subject: LDAP over SSL
I'd be surprised if LDAP over SSL is not turned on. More likely, the port used to access the server (port 636) is blocked. Talk to your network admin to confirm. And in the off chance that LDAPS (LDAP over SSL) is disabled, you'd need to discuss with the server admin to enable it.
Even though this is a local network, bindAuthMechanism=simple means the passwords are sent in cleartext across the local network. I don't know of any IT department that won't help with securing the network, so hopefully they can assist you quickly.
------------------------------
sun kim
Original Message:
Sent: 03-13-2026 03:18
From: Sergey Melnikov
Subject: LDAP over SSL
sun kim
Good day!
Thank you for your reply!
The server is on the local network, so its name is SRV04.vr.local. I tried a test request and got this error.
Apparently, the server administrator doesn't have SSL enabled.
SECJ7340E: Exception occurred while trying to connect to the LDAP server. Exception Name=javax.naming.CommunicationException Reason=SRV04.vr.local:636 ***** LdapSearch Input Parameters ***** hostName=SRVH04.vr.local portNumber=636 sslEnabled=true sslAlias=CellDefaultSSLSettings baseDN=DC=vr,DC=local bindDN=maxbind bindPwd=***** bindAuthMechanism=simple searchFilter=cn=* searchLimit=20 referral=ignore searchScope=sub
------------------------------
Sergey Melnikov
RusNet
Original Message:
Sent: 03-12-2026 10:40
From: sun kim
Subject: LDAP over SSL
If you're going to use Secure LDAP, you can't use IP address. It has to be a fully qualified domain name (FQDN) - for example, maximo.rusnet.com
------------------------------
sun kim
Original Message:
Sent: 03-12-2026 03:22
From: Sergey Melnikov
Subject: LDAP over SSL
Sun Kim, good day!
Thanks for your reply.
No, there's no balancer. It's my fault. I entered the wrong IP address. This happens when you're multitasking.
Here's the error with the correct IP addresses.
These are the addresses of the server hosting the AD.
SECJ7340E: An exception occurred while trying to connect to the LDAP server. Exception Name=javax.naming.CommunicationException Reason=192.168.80.14:636 ***** LdapSearch Input Parameters ***** hostName=192.168.80.14 portNumber=636 sslEnabled=true sslAlias=managed baseDN=DC=vr,DC=local bindDN=maxbind bindPwd=***** bindAuthMechanism=simple searchFilter=cn=* searchLimit=20 referral=ignore searchScope=sub
------------------------------
Sergey Melnikov
RusNet
Original Message:
Sent: 03-11-2026 13:20
From: sun kim
Subject: LDAP over SSL
Besides requiring a FQDN, you might ask your server/network admin if you have a load balancer handling the security certificate. This is common in enterprise settings. I see two IP addresses, which could mean one of them is the load balancer. After you use FQDN (fully qualified domain name), you may get another error message to help you narrow the error down.
------------------------------
sun kim
Original Message:
Sent: 03-11-2026 03:25
From: Sergey Melnikov
Subject: LDAP over SSL
Steven, thank you very much for your reply!
Sorry, I should have described my configuration first.
Maximo 7.6.1.3 is on the local network and runs on Windows Server 2025.
I tried connecting via SSL through Websphere.
To do this, I pulled the certificate from the port, specified the AD server IP address and port 636, enabled the SSL checkbox, entered the username and password of a user who can read AD, and received an error when attempting a test connection.
SECJ7340E: An exception occurred while trying to connect to the LDAP server. Exception Name=javax.naming.CommunicationException Reason=192.168.80.14:636 ***** LdapSearch Input Parameters ***** hostName=192.168.100.11 portNumber=636 sslEnabled=true sslAlias=CellDefaultSSLSettings baseDN=DC=vr,DC=local bindDN=maxbind bindPwd=***** bindAuthMechanism=simple searchFilter=cn=* searchLimit=20 referral=ignore searchScope=sub
------------------------------
Sergey Melnikov
RusNet
Original Message:
Sent: 03-10-2026 15:43
From: Steven Shull
Subject: LDAP over SSL
You want to ensure you follow the instructions here: Authentication error when running LDAPSYNC.
In addition to the port that you connect to LDAP on, there is a catalog port that it uses to try and traverse the forest. If you have a VPN (in a cloud environment), you'll need to ensure the port access is opened as well.
I personally prefer using VMMSync rather than LDAPSync. This would connect to WebSphere to pull users and groups rather than requiring duplicate LDAP configuration (in WebSphere and Maximo) and avoid the use of the global catalog port and such. But if you were previously using LDAP sync it's certainly easier to get it to work over SSL than switching your process.
------------------------------
Steven Shull
Naviam
Original Message:
Sent: 03-10-2026 13:48
From: Sergey Melnikov
Subject: LDAP over SSL
Gentlemen experts, good health to all!
I need some advice!
I had LDAP authentication configured via the standard port 389.
I need to configure LDAP over SSL. I'm setting the SSLEnabled parameter to true. I'm changing the connection port to 636.
I'm getting an error in the log. I'd like to know how to fix this?
[INFO] [MAXIMO] [CID-CRON-3632] Correlation started, correlation data added: InstanceName:LDAPS-TEST TaskName:LDAPSYNC Activity:ACTION
[10.03.26 20:04:27:617 MSK] 000000f7 SystemOut O Mar 10, 2026 20:04:27:613 [ERROR] [MAXIMO] [CID-CRON-3632] BMXAA6765E - The LdapSyncCronTask cron task could not be started. This message will be repeated if the initialization fails when the task runs again. See the associated message.
psdi.security.ldap.LdapSyncException: BMXAA6774W - The rootDSE attribute for attribute name highestCommittedUSN was not found.
at psdi.security.ldap.ads.ActiveDirectorySynchronizer.getRootDSEAttributeValue(ActiveDirectorySynchronizer.java:731) ~[businessobjects.jar:?]
at psdi.security.ldap.ads.ActiveDirectorySynchronizer.determineSynchronizationNeed(ActiveDirectorySynchronizer.java:617) ~[businessobjects.jar:?]
at psdi.security.ldap.AbstractLdapSynchronizer.performSync(AbstractLdapSynchronizer.java:278) ~[businessobjects.jar:?]
at psdi.security.ldap.LdapSyncTask.performTask(LdapSyncTask.java:391) ~[businessobjects.jar:?]
at psdi.security.ldap.LdapSyncCronTask.cronAction(LdapSyncCronTask.java:262) [businessobjects.jar:?]
#EverythingMaximo
------------------------------
Sergey Melnikov
RusNet
------------------------------