Implementing SSL Support for the Login Module

To configure SSL communication between the LDAP server (policy backend) and the Configuration Manager you must perform the following steps:

1. As a prerequisite, your LDAP server must be configured to support client authentication through SSL. You can find further details in the Sun ONE Directory Server 5.2 Administration Guide at http://docs.sun.com/source/816-6698-10/.

2. Install the LDAP server's certificate, or its CA's certificate, in the Java Web Console's database of trusted certificates:

   # cd $JAVA_HOME/bin # ./keytool -import -file server_cert.cer -keystore /etc/opt/webconsole/keystore

   ---

   Note –

   The initial default keystore password is changeit . It is important to change this password in the production environment.

   ---

3. Run the following script to point the Configuration Manager to your LDAP server:

   # /usr/share/webconsole/apoc/configure

4. Run the smreg command to enable SSL communication for the LDAP login module:

   # /usr/sbin/smreg add -m -b optional -o ldap.provider.url="ldaps://<LDAP_SERVER_HOST>:<LDAP_SERVER_PORT>" -o ldap.provider.authentication=simple -o ldap.baseDN="<LDAP_BASEDN>" -o ldap.userAttribute="<LDAP_USER_UNIQUE_ATTRIBUTE>" -o ldap.search.userDN="<LDAP_SEARCH_USER>" -o ldap.search.password="<LDAP_SEARCH_PASSWORD>" com.sun.apoc.authentication.LdapLoginModule;

   ---

   Note –

   The placeholders, such as LDAP_SERVER_HOST and LDAP_SERVER_PORT, must be replaced by the actual values that you specified during the configuration of the Configuration Manager in step 3. The ldap.search.userDN and ldap.search.password parameters can be omitted if anonymous LDAP access is allowed.

   ---

5. Restart the Java Web Console:

   # /usr/sbin/smcwebserver restart