Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRC] Enabling LDAPS for both JDB and external LDAP server



Article ID: KB33948 KB Last Updated: 06 Sep 2019Version: 2.0

This article provides an update on this capability.


In most scenarios, subscriber repository is stored on an external LDAP server. A common external LDAP server is the Sun ONE Directory Server.

JDB, which is internal to SRC, stores all system-related configuration.

Given this, how do you enable LDAPS for both JDB and an external LDAP server?


LDAPS on external LDAP Server, which generally stores the subscriber repository

LDAPS support for subscriber repository on the external LDAP Server (Sun ONE Directory Server for example) is currently supported in existing SRC versions without any patch / code changes.

The procedure to enable LDAPS for the subscriber repository is as follows:

  1. Export the server CA certificate from the external LDAP Server (Sun ONE Directory Server). Check the Sun ONE documentation on how to export the server CA certificate.
  2. Import the above certificate into SRC by using the following command. While importing the certificate, make sure to add it as a trusted CA.

root@src# run request security import-certificate identifier <cert-id> file-name <file-name> 
Version: 3
Serial Number: 115306
Signature Algorithm: MD5withRSA
Issuer: CN=CAcert
Valid From: Wed Aug 09 11:54:40 UTC 2017
Valid Until: Mon Aug 09 11:54:40 UTC 2027
Subject: CN=CAcert
Public key: RSA
Thumbprint Algorithm: SHA1
Thumbprint: a 14 98 b6 bf 3e d2 46 e4 14 c8 7e 5f c0 25 e6 74 b5 96 e7
Do you want to add the above certificate as a trusted CA [yes,no] ? (no) yes      
  1. Use the following command to export the CA certificate with the "certutil” tool.

certutil -L -d <certificate directory> -P <database prefix> -n "< certificate nick name>" -a > <outputfile name>


  • <certificate directory> is the ServerRoot/alias. To know more about the default path of ServerRoot, refer to

  • <database prefix> is the prefix of the certificate database file. Usually it is slapd-<YourServerID>-.

  • <certificate nick name> is the nickname of the certificate to export. You can get the nicknames of available certificates by using the certutil -L -d <certificate directory> -P <database prefix> command.

Refer to the following link for more information about SunONE’s SSL and certificates configurations:

  1. Configure external directory details for the subscriber repository under the following level:

set shared sae group <sae group name> configuration ldap subscriber-data port-number 636
set shared sae group <sae group name> configuration ldap subscriber-data ldaps
set shared sae group <sae group name> configuration ldap subscriber-data server-address <external LDAP server address>
  1. Restart SAE after performing the above steps. 

LDAPS for JDB (internal LDAP to SRC), which stores all system-related info/config

The local JDB does not have LDAPS support because all communication to the localhost JDB will be loop-backed and need not be secure.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search