Troubleshooting / FAQ :: Raytion Products for Microsoft Search

Connecting to HCL Connections using HTTPS with Self-Signed Certificates

If your HCL Connections server uses a self-signed certificate, configure the agent to trust it using one of the two options explained below.

In both cases, first download the certificate from your HCL Connections server:

URL=your-hcl-connections-server.com:443

openssl s_client -connect $URL -showcerts < /dev/null 2>/dev/null | openssl x509 -outform PEM > server-cert.pem

Option 1: Use a Custom Keystore

Create a keystore containing the server certificate and configure it in the agent:

keytool -import -alias hcl-connections-cert -file server-cert.pem \
  -keystore connections-truststore.p12 -storetype PKCS12 \
  -storepass changeit -noprompt

In the connector, enabled useCustomSslKeystore and upload the created connections-truststore.p12, also configure these settings:

raytion.connector.agent.connections.server.sslAuth.keyStoreType=PKCS12
raytion.connector.agent.connections.server.sslAuth.keyStorePassword=changeit
raytion.connector.agent.connections.server.sslAuth.keyPassword=<password> (optional, see below)

Note that - only certificates in the custom keystore will be trusted. - the keyPassword is only required if the keystore contains a private key for client authentication and that key uses a different password than the keystore itself. For truststore-only use cases (no client authentication), this parameter is not needed.

Option 2: Use your JVM’s Default Truststore

Add the certificate to the JVM’s default truststore.

# Set this based on your JVM path
CA_CERTS=/path/to/jre/lib/security/cacerts

sudo keytool -import -alias raytion-hcl-connections-truststore -file server-cert.pem \
  -keystore "$CA_CERTS" -storepass changeit -noprompt

Keep raytion.connector.agent.connections.server.useCustomSslKeystore=false (default).

To verify the certificate was imported to the correct truststore:

keytool -list -keystore "$CA_CERTS" -storepass changeit | grep raytion-hcl-connections-truststore

To remove the certificate from the JVM truststore:

sudo keytool -delete -alias raytion-hcl-connections-truststore \
  -keystore "$CA_CERTS" -storepass changeit

Important Notes

Certificate Requirements: The server certificate must include Subject Alternative Names (SANs) matching the hostname. Certificates without SANs will fail hostname verification.
Legacy Certificates: If you cannot fix the certificate and must connect to a server with a legacy certificate lacking SANs, you can set raytion.connector.agent.connections.server.disableHostnameVerification=true. WARNING: This is insecure and should NEVER be used in production environments.

External Group and Group Membership Limits in Microsoft Search

Raytion connectors reflect the custom security model of the source system in Microsoft Search. In order to do so, the connector creates external groups, which correspond to the groups from the source system.

The connector also links Microsoft Search users, i.e., users in Azure AD, to the correct external groups. This way, early-binding security trimming works.

External Groups Limit

However, there is a limit regarding the synchronization of external groups: All Microsoft Graph Connectors within a tenant can create up to 100,000 external groups. If this threshold is reached in your tenant, please contact the Microsoft support and check if they can extend the limit.

Members of External Groups

Currently, there is no known limit for the number of members in external groups. Hence, external groups can handle all users of a tenant.

Unable to access jarfile error (installation on Windows)

This error occurs when the installation path exceeds the maxium Windows path length of 260 characters. Ensure that the full path to bin\connector.bat does not exceed 260 characters. == Connecting to HCL Connections using HTTPS with Self-Signed Certificates