Configuring the Directory Server
Configuring Security in the Directory Server
Getting SSL Up and Running Quickly
Enabling SSL and StartTLS in QuickSetup
Configuring Key Manager Providers
Using the JKS Key Manager Provider
To Sign the Certificate by Using an External Certificate Authority
To Configure the JKS Key Manager Provider
Using the PKCS #12 Key Manager Provider
Using the PKCS #11 Key Manager Provider
Configuring Trust Manager Providers
Overview of Certificate Trust Mechanisms
Using the Blind Trust Manager Provider
Using the JKS Trust Manager Provider
Using the PKCS #12 Trust Manager Provider
Configuring Certificate Mappers
Using the Subject Equals DN Certificate Mapper
Using the Subject Attribute to User Attribute Certificate Mapper
Using the Subject DN to User Attribute Certificate Mapper
Using the Fingerprint Certificate Mapper
Configuring SSL and StartTLS for LDAP and JMX
Configuring the LDAP and LDAPS Connection Handlers
To Enable a Connection Handler
To Specify a Connection Handler's Listening Port
To Specify a Connection Handler's Authorization Policy
To Specify a Nickname for a Connection Handler's Certificate
To Specify a Connection Handler's Key Manager Provider
To Specify a Connection Handler's Trust Manager Provider
To Enable SSL-Based Communication
Enabling SSL in the JMX Connection Handler
SASL Options for the ANONYMOUS Mechanism
SASL Options for the CRAM-MD5 Mechanism
SASL Options for the DIGEST-MD5 Mechanism
SASL Options for the EXTERNAL Mechanism
SASL Options for the GSSAPI Mechanism
SASL Options for the PLAIN Mechanism
Configuring SASL Authentication
Configuring SASL External Authentication
Configuring SASL DIGEST-MD5 Authentication
Configuring SASL GSSAPI Authentication
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
Troubleshooting Kerberos Configuration
Testing SSL, StartTLS, and SASL Authentication With ldapsearch
This procedure assumes the following:
The directory server is installed on the system on which you are working.
The Java keytool utility is in your path. If it is not, you can add it to your path or provide the complete path to it when invoking the commands.
The administration connector is listening on the default port (4444) and the dsconfig command is accessing the server running on the local host. If this is not the case, the --port and --hostname options must be specified.
$ keytool -genkey -alias server-cert -keyalg rsa \ -dname "CN=myhost.example.com,O=Example Company,C=US" \ -keystore config/keystore -storetype JKS
Change the value of the -dname argument so that it is suitable for your environment:
The value of the CN attribute should be the fully-qualified name of the system on which the certificate is being installed.
The value of the O attribute should be the name of your company or organization.
The value of the C attribute should be the two-character abbreviation for your country.
You are prompted for a password to protect the contents of the keystore and for a password to protect the private key.
$ keytool -selfcert -alias server-cert -validity 1825 \ -keystore config/keystore -storetype JKS
When you are prompted for the keystore password, enter the same password that you provided in the previous step.
$ keytool -export -alias server-cert -file config/server-cert.txt -rfc \ -keystore config/keystore -storetype JKS
$ keytool -import -alias server-cert -file config/server-cert.txt \ -keystore config/truststore -storetype JKS
This step is required only if the SSL and StartTLS settings were not specified during installation, or if you want to change those settings.
$ dsconfig -D "cn=directory manager" -w password -n set-key-manager-provider-prop \ --provider-name JKS --set enabled:true $ dsconfig -D "cn=directory manager" -w password -n set-trust-manager-provider-prop \ --provider-name "Blind Trust" --set enabled:true $ dsconfig -D "cn=directory manager" -w password -n set-connection-handler-prop \ --handler-name "LDAPS Connection Handler" \ --set "trust-manager-provider:Blind Trust" --set key-manager-provider:JKS \ --set listen-port:1636 --set enabled:true
Port 1636 is the standard LDAPS port, but you might not be able to use this port if it is already taken or if you are a regular user. If you need to accept SSL-based connections on a port other than 1636, change the listen-port property in the last command to the port number being used.
$ ldapsearch --port 1636 --useSSL --baseDN "" --searchScope base "(objectClass=*)"
You are prompted to trust the server's certificate. On typing yes, the root DSE entry should be returned.