diff --git a/docs/directorymanager/11.1/install/upgrade/upgrade.md b/docs/directorymanager/11.1/install/upgrade/upgrade.md index 43be80f613..80ce3c6bbe 100644 --- a/docs/directorymanager/11.1/install/upgrade/upgrade.md +++ b/docs/directorymanager/11.1/install/upgrade/upgrade.md @@ -8,8 +8,6 @@ sidebar_position: 10 The topic guides you to upgrade to Directory Manager 11.1 from Directory Manager 10. -Follow the steps to upgrade. - Step 1 – To launch the Upgrade wizard, click **Next** on the GroupID Successfully Configured page of the Configuration Tool. @@ -23,6 +21,41 @@ Step 2 – Read the welcome message and click **Next**. ![2-select_source_version](/images/directorymanager/11.1/install/upgrade/2-select_source_version.webp) +Step 2.1: Verify SSL/TLS Certificates + +**CRITICAL PRE-UPGRADE STEP** + +Before proceeding with the upgrade, verify that all SSL/TLS certificates used for LDAP connections and authentication services are properly configured: + +**Verification Steps:** + +1. **Verify certificate installation:** + - Open Certificate Manager: `certlm.msc` + - Navigate to: **Trusted Root Certification Authorities** → **Certificates** + - Confirm all required certificates are present in this store + +2. **Check certificate validity:** + - Double-click each certificate + - Verify "Valid from" and "Valid to" dates + - Ensure certificates aren't expired +![2-1-check_certificate_validity](/images/directorymanager/11.1/install/upgrade/2-1-check_certificate_validity.webp) + +3. **Verify certificate chain:** + - In certificate details, go to **Certification Path** tab + - Ensure all certificates in the chain show "This certificate is OK" + - Verify no revocation errors +![2-1-verify_certificate_chain](/images/directorymanager/11.1/install/upgrade/2-1-verify_certificate_chain.webp) + +:::warning +- Connections using self-signed certificates NOT in the Trusted Root CA store will FAIL after upgrade +- Invalid certificates will block authentication and LDAP operations +::: + +**If any certificates are missing or invalid:** +- STOP the upgrade process +- Install/update certificates +- Re-verify all certificates before continuing + Step 3 – From the Select the previous version to upgrade list, select the Directory Manager version to upgrade from. @@ -46,17 +79,17 @@ can choose to upgrade all or selective data of the previous version. Options are ![3-select_modules-custom](/images/directorymanager/11.1/install/upgrade/3-select_modules-custom.webp) :::note - If later on, you wish to upgrade specific groups and their history via the Upgrade-Group + If you later want to upgrade specific groups and their history via the Upgrade-Group commandlet, then you must upgrade the Configuration and History in the first upgrade run. This will upgrade the history in the database as per Directory Manager 11.1 format and replicates it - to Elasticsearch. Later on, when you upgrade specific groups and their history using the + to Elasticsearch. Later, when you upgrade specific groups and their history using the Upgrade-Group commandlet, that will be done successfully. See the [Upgrade-Group](/docs/directorymanager/11.1/managementshell/smartgroup/upgradegroup.md) commandlet for additional information. ::: - If you want to upgrade configurations, history and all groups using the Directory Manager + If you want to upgrade configurations, history, and all groups using the Directory Manager Upgrade wizard , then you must select the Configurations, History, and Groups checkboxes. Step 5 – Click **Next**. @@ -99,7 +132,7 @@ connect to different child domains in a forest with different service accounts a messaging providers. - If an identity store already exists in Directory Manager 10 for the destination domains that the - jobs connect to, then jobs are moved to the respective identity stores in Directory Manager 11.1. + jobs connect to, the Upgrade wizard moves the jobs to the respective identity stores in Directory Manager 11.1. - When there is no identity store in Directory Manager 10 for the destination domain that the jobs connect to, the Upgrade wizard reads the FQDN of the destination domains used in the jobs and tries to create a forest structure. On identifying one, it proceeds to create an identity store @@ -115,13 +148,13 @@ messaging providers. ::: - The wizard does not create a separate identity store for each child domain in the same forest. - In case it cannot determine a forest structure, it creates separate identity stores for each + The wizard doesn't create a separate identity store for each child domain in the same forest. + In case it can't determine a forest structure, it creates separate identity stores for each domain. Step 10 – For Synchronize jobs that use Office 365 as messaging provider in Directory Manager 10, -the wizard would require you to provide the PFX certificate. All Synchronize jobs that use Office -365 as messaging provider will be listed on the wizard page. Expand each job and provide the PFX +the wizard would require you to provide the PFX certificate. The wizard page lists all Synchronize jobs that use Office +365 as messaging provider. Expand each job and provide the PFX certificate along with its password. ![Upgrade wizard Synchronize Messaging System page](/images/directorymanager/11.1/install/upgrade/entraidsynmessagingsystem.webp) @@ -137,13 +170,13 @@ Provide the following information: Step 11 – Click **Next**. -Step 12 – In Directory Manager 10 and earlier versions, reports were generated for the domain that -the Directory Manager server was joined to. During upgrade, the wizard checks if an identity store -for that domain exists or not. +Step 12 – In Directory Manager 10 and earlier versions, Directory Manager generated reports for the domain that +the Directory Manager server was joined to. During upgrade, the wizard checks whether an identity store +for that domain exists. -- If an identity store for that domain exists or if it being created for a Synchronize job in this - upgrade process, Directory Manager will bind the reports to it. -- If an identity store for that domain does not exist, then you have to create an identity store for +- If an identity store for that domain exists or if the upgrade process is creating one for a Synchronize job in this + upgrade, Directory Manager will bind the reports to it. +- If an identity store for that domain doesn't exist, then you have to create an identity store for it. It must essentially be an Active Directory identity store. The wizard will bind the reports generated in Directory Manager 10 to the identity store, so you will be able to view them in Directory Manager 11.1. @@ -155,13 +188,13 @@ will not be displayed. ::: -Step 13 – During upgrade, Synchronize schedules are also moved to identity stores. +Step 13 – During upgrade, the Upgrade wizard also moves Synchronize schedules to identity stores. The Upgrade wizard will check the jobs added to a schedule. If the destination in a job is a directory provider, it will automatically move the schedule to the respective identity store. :::tip -Remember, during upgrade, identity stores are created for destination directory providers of -Synchronize jobs (i.e., for providers that do not have an identity store in the source version). +Remember, during upgrade, the Upgrade wizard creates identity stores for destination directory providers of +Synchronize jobs (i.e., for providers that don't have an identity store in the source version). ::: @@ -186,8 +219,8 @@ This page displays a complete summary of the data to be copied/upgraded for your These options were selected on the Select modules to upgrade page.. :::note -If there are any disabled identity store(s) in the source Directory Manager version, Directory -Manager will not upgrade those identity store(s). However, data of those identity store(s) will +If there are any disabled identity stores in the source Directory Manager version, Directory +Manager will not upgrade those identity stores. However, data of those identity stores will remain intact in the source Directory Manager version. ::: @@ -196,8 +229,8 @@ Step 15 – Review the summary and click **Next**. ![Upgrade Progress page](/images/directorymanager/11.1/install/upgrade/6-upgrade_process_complete.webp) -Directory Manager is upgraded while the Upgrade Process displays the upgrade progress. On successful -upgrade, the Upgradce Completed message above the progress bar is displayed. +The Upgrade Process upgrades Directory Manager while displaying the upgrade progress. On successful +upgrade, Directory Manager displays the Upgrade Completed message above the progress bar. Step 16 – Click **Next**. diff --git a/docs/directorymanager/11.1/requirements/permissions/overview.md b/docs/directorymanager/11.1/requirements/permissions/overview.md index a6f82d6a3a..df08edd688 100644 --- a/docs/directorymanager/11.1/requirements/permissions/overview.md +++ b/docs/directorymanager/11.1/requirements/permissions/overview.md @@ -1,7 +1,7 @@ --- title: "Service Account Permissions" description: "Service Account Permissions" -sidebar_position: 60 +sidebar_position: 70 --- # Service Account Permissions diff --git a/docs/directorymanager/11.1/requirements/sslcertificate.md b/docs/directorymanager/11.1/requirements/sslcertificate.md new file mode 100644 index 0000000000..222ae8e64f --- /dev/null +++ b/docs/directorymanager/11.1/requirements/sslcertificate.md @@ -0,0 +1,48 @@ +--- +title: "SSL Certificate for LDAP/Authentication" +description: "SSL Certificate for LDAP/Authentication" +sidebar_position: 60 +--- + +# SQL Certificate for Windows Authentication + +Before installing or configuring Directory Manager Admin Center, ensure all SSL/TLS certificates used for +LDAP and authentication services meet the following requirements: + +#### Certificate Installation Location +- **Self-signed certificates MUST be installed in the Trusted Root Certification Authorities store** + - Store Location: `LocalMachine` (Computer account) + - Store Name: `Root` (Trusted Root Certification Authorities) + - Access via: `certlm.msc` → Trusted Root Certification Authorities → Certificates + +#### Certificate Validity Requirements +Directory Manager validates certificates against these criteria: + +1. **Certificate must not be null** - A valid certificate must be presented +2. **Certificate must be within validity period** +3. **Certificate must not be revoked** +4. **Certificate chain must be complete and trusted** + - Chain must build successfully using system trust mode + - All intermediate certificates must be available + - Root certificate must exist in the Trusted Root CA store +5. **Root certificate thumbprint must match** + +#### Installation Steps for Self-Signed Certificates + +1. Open Certificate Manager for Local Machine: + ``` + certlm.msc + ``` + +2. Navigate to: **Trusted Root Certification Authorities** → **Certificates** + +3. Right-click **Certificates** → **All Tasks** → **Import** + +4. Follow the Certificate Import Wizard: + - Select your certificate file (.cer, .crt, or .pfx) + - Ensure "Place all certificates in the following store" is set to **Trusted Root Certification Authorities** + - Complete the import + +5. Verify the certificate appears in the Trusted Root CA store + +6. Restart the Directory Manager Admin Center service/application pool \ No newline at end of file diff --git a/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md new file mode 100644 index 0000000000..9fa0bbee72 --- /dev/null +++ b/docs/kb/directorymanager/troubleshooting-and-errors/ssl_certificate_connection_failures.md @@ -0,0 +1,138 @@ +--- +description: >- + Resolves SSL/TLS certificate validation failures in Netwrix Directory Manager + Admin Center after an upgrade, including expired, revoked, self-signed, and + incomplete-chain certificate scenarios. +keywords: + - SSL Certificate + - certificate is invalid + - TLS certificate validation + - SSL connection failure + - expired certificate + - self-signed certificate + - certificate chain + - Trusted Root CA + - Directory Manager + - X509Certificate2 + - SslPolicyErrors + - certificate revocation +sidebar_label: SSL Certificate Connection Failures +tags: + - troubleshooting-and-errors + - kb +title: "SSL Certificate Connection Failures" +knowledge_article_id: kA0Qk000000XXXXKAA +products: + - directorymanager +--- + +# SSL Certificate Connection Failures + +## Symptom + +One or more of the following symptoms may be present in your environment: + +- Authentication failures when accessing Netwrix Directory Manager Admin Center +- LDAP connection errors +- "The remote certificate is invalid" errors +- HTTP 401 Unauthorized responses +- Service fails to start or authenticate users + +## Cause + +The upgraded version implements strict SSL/TLS certificate validation that enforces: +- Certificate validity period checking +- Certificate chain validation with system trust store +- Root certificate must exist in Trusted Root CA store +- Online revocation checking + +The upgrade may reject self-signed certificates or certificates with incomplete chains that the previous version accepted. + +## Resolution + +### Diagnostic Steps + +1. **Check Application Logs:** + - Review Directory Manager Admin Center logs for SSL/certificate errors. + - Look for exceptions related to `X509Certificate2` or `SslPolicyErrors`. + +2. **Verify Certificate Installation:** + ``` + certlm.msc + ``` + - Navigate to: **Trusted Root Certification Authorities** > **Certificates**. + - Confirm the certificate is present. + +3. **Check Certificate Validity:** + - Double-click the certificate. + - Verify it is not expired (check **Valid from** and **Valid to** dates). + - Check **Certificate Status** — should show **This certificate is OK**. + +4. **Verify Certificate Chain:** + - In certificate properties, go to the **Certification Path** tab. + - All certificates in the chain should show as valid. + - No red X marks should appear. + +5. **Test Certificate Thumbprint:** + - Note the certificate thumbprint from certificate details. + - Verify it matches the expected certificate. + +### Resolution Steps + +**For Self-Signed Certificates:** + +1. **Install certificate in Trusted Root CA store:** + ``` + certlm.msc + ``` + - Navigate to: **Trusted Root Certification Authorities** > **Certificates**. + - Right-click **Certificates** > **All Tasks** > **Import**. + - Select your certificate file. + - Complete the import wizard. + +2. **Verify installation:** + - Confirm certificate appears in Trusted Root CA store. + - Check thumbprint matches expected value. + +3. **Restart services** — restart whichever applies to your environment: + - IIS Application Pool (if using IIS) + - Directory Manager Admin Center service + - The web application + +**For Expired Certificates:** + +1. Obtain new certificate with valid dates. +2. Install new certificate in Trusted Root CA store. +3. Update service configuration to use new certificate. +4. Remove old expired certificate from store. +5. Restart services. + +**For Revoked Certificates:** + +1. Obtain new non-revoked certificate. +2. Install in Trusted Root CA store. +3. Update configuration. +4. Restart services. + +**For Incomplete Certificate Chains:** + +1. Obtain all intermediate certificates. +2. Install intermediate certificates in Intermediate Certification Authorities store. +3. Ensure root certificate is in Trusted Root CA store. +4. Verify chain builds correctly. +5. Restart services. + +### Verification after Resolution + +1. **Test authentication:** + - Access Directory Manager Admin Center login page. + - Attempt to authenticate. + - Verify successful login. + +2. **Check logs:** + - Confirm no SSL/certificate errors. + - Verify successful LDAP connections. + +3. **Monitor services:** + - Ensure services remain running. + - Check for any recurring certificate errors. diff --git a/static/images/directorymanager/11.1/install/upgrade/2-1-check_certificate_validity.webp b/static/images/directorymanager/11.1/install/upgrade/2-1-check_certificate_validity.webp new file mode 100644 index 0000000000..591f3f8c84 Binary files /dev/null and b/static/images/directorymanager/11.1/install/upgrade/2-1-check_certificate_validity.webp differ diff --git a/static/images/directorymanager/11.1/install/upgrade/2-1-verify_certificate_chain.webp b/static/images/directorymanager/11.1/install/upgrade/2-1-verify_certificate_chain.webp new file mode 100644 index 0000000000..6c03816514 Binary files /dev/null and b/static/images/directorymanager/11.1/install/upgrade/2-1-verify_certificate_chain.webp differ