C LDAP Setup for SSL

This appendix describes how to set up the Core Server to communicate with LDAP over an SSL connection. Your LDAP server is assumed to have a signed certificate and to be enabled for SSL.

Application Configuration Console uses the Sun LDAP service provider, which uses the Java Secure Socket Extension (JSSE) software for its SSL support. The JSSE is available as part of the JDK. The premise of the setup is to ensure that the Core Server, as the LDAP client, trusts the LDAP server it uses. The setup is the same, regardless of which LDAP directory you have.

The first step, which is optional, is to import the root CA certificate that was used to sign the certificate in use by the LDAP server.

Note:

You only need to do this if the certificate in use by the LDAP server is not signed by one of the multitude of trusted certificate authorities listed in the cacerts keystore shipped by Sun Microsystems.

If you need to import the root CA certificate into your JRE's database of trusted certificates, run commands similar to the following:

cd JAVA_HOME/jre/lib/security

keytool -import -v -trustcacerts -file /cert-path/509_cert -keystore /cert-path/cacerts

Where cert-path is the path to the respective certificate.

When you run keytool, you will be prompted for a password. Assuming you are using the default keystore, the default password is changeit.

The next step, which is required, is to edit the java.login.config file. Specifically, you have to change the LDAP URL scheme to ldaps and the port to an SSL-enabled port, in the appropriate section for the login module (AD-JNDI or MV-JNDI) you are using. This will force the Sun LDAP service provider to use SSL for communications.