Configuring the Directory Server
Configuring Security in the Directory Server
Getting SSL Up and Running Quickly
To Accept SSL-Based Connections Using a Self-Signed Certificate
Configuring Key Manager Providers
Using the JKS Key Manager Provider
To Sign the Certificate by Using an External Certificate Authority
To Configure the JKS Key Manager Provider
Using the PKCS #12 Key Manager Provider
Using the PKCS #11 Key Manager Provider
Configuring Trust Manager Providers
Overview of Certificate Trust Mechanisms
Using the Blind Trust Manager Provider
Using the JKS Trust Manager Provider
Using the PKCS #12 Trust Manager Provider
Configuring Certificate Mappers
Using the Subject Equals DN Certificate Mapper
Using the Subject Attribute to User Attribute Certificate Mapper
Using the Subject DN to User Attribute Certificate Mapper
Using the Fingerprint Certificate Mapper
Configuring SSL and StartTLS for LDAP and JMX
Configuring the LDAP and LDAPS Connection Handlers
To Enable a Connection Handler
To Specify a Connection Handler's Listening Port
To Specify a Connection Handler's Authorization Policy
To Specify a Nickname for a Connection Handler's Certificate
To Specify a Connection Handler's Key Manager Provider
To Specify a Connection Handler's Trust Manager Provider
To Enable SSL-Based Communication
Enabling SSL in the JMX Connection Handler
SASL Options for the ANONYMOUS Mechanism
SASL Options for the CRAM-MD5 Mechanism
SASL Options for the DIGEST-MD5 Mechanism
SASL Options for the EXTERNAL Mechanism
SASL Options for the GSSAPI Mechanism
SASL Options for the PLAIN Mechanism
Configuring SASL Authentication
Configuring SASL External Authentication
Configuring SASL DIGEST-MD5 Authentication
Configuring SASL GSSAPI Authentication
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
Troubleshooting Kerberos Configuration
Testing SSL, StartTLS, and SASL Authentication With ldapsearch
The easiest way to get the directory server up and running with SSL, StartTLS, or both, is to use the setup utility in GUI mode. This tool can be used to set up the server after you have downloaded it as a zip file. QuickSetup enables you to use a self-signed certificate, or an existing certificate in a JKS keystore, a PKCS#12 file, or a PKCS#11 token.
To access the SSL and StartTLS configuration, click the Configure button in front of the LDAP Secure Access field. The following dialog is displayed:
The fields on this screen include:
SSL Access — Select this checkbox to indicate that the LDAPS (that is, LDAP over SSL) listener should be enabled. Enter the port number on which the directory server listens for connections.
StartTLS Access — Select this checkbox to configure whether the LDAP connection handler will allow clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure connection.
Certificate — Select one of the following radio buttons to obtain the certificate that the server should use for SSL, StartTLS, or both:
Generate Self-Signed Certificate will generate a self-signed certificate that can be used to secure the communication. While this is convenient for testing purposes, many clients will not trust the certificate by default, and you might need to configure it manually.
Use an Existing Certificate will use a certificate in an existing JKS keystore, a PKCS #12 file, or a PKCS #11 token. For more information about obtaining certificates, see Configuring Key Manager Providers.