Ldap ssl connection is configured through keys:
LDAP_SSL_CERTIFICATE_KEY_FILE - path to file with certificate
LDAP_SSL_CERTIFICATE_VERIFY - defines if ldap server certificate should be verified. To turn it on set it to 'demand' to turn it of set it to 'allow'
LDAP_SSL_KEYSTORE - path to keystore containing server certificate
LDAP_SSL_KEYSTORE_PASSWORD - password to keystore
LDAP_SSL_KEYSTORE_TYPE - type of keystore (JKS and PKCS12 are allowed)
If you only need to encrypt data sent between License Statistics and ldap server, then only thing you need to do is to set LDAP_SSL_CERTIFICATE_VERIFY to 'allow'. This way communication is encrypted, but ldap server certificate is not verified. Because of that you can't tell if the server has valid certificate or not.
If you want to always be sure that ldap server has valid certificate then LDAP_SSL_CERTIFICATE_VERIFY has to be set to 'demand'. In most cases it should be enough, because License Statistics has root certificates from most trusted Certified Authorities and is able to verify server certificate with them. But if server certificate was not issued by one of our supported CAs (f.e. because it was generated from your company internal root certificate) then you will need to provide server certificate to License Statistics. There are two ways to do that.
1. Through certificate file. It is the easiest, and recommended way. You have to copy server certificate file to License Statistics host and provide path to this file under LDAP_SSL_CERTIFICATE_KEY_FILE in xflicstat.cfg.
2. Through keystore with loaded certificate. If you already have keystore that contains ldap server certificate and is of JKS or PKCS12 (how to check it?) then
provide path in LDAP_SSL_KEYSTORE, password in LDAP_SSL_KEYSTORE_PASSWORD and its type in LDAP_SSL_KEYSTORE_TYPE.
1. When to use demand and allow for verify
2. What is root certificate
3. What is CA