To Accept SSL-Based Connections Using a Self-Signed Certificate

This procedure assumes the following:

• The directory server is installed on the system on which you are working.

• The Java keytool utility is in your path. If it is not, you can add it to your path or provide the complete path to it when invoking the commands.

• The administration connector is listening on the default port (4444) and the dsconfig command is accessing the server running on the local host. If this is not the case, the --port and --hostname options must be specified.

1. Create a private key for the certificate, using the keytool utility. For example:

   $ keytool -genkey -alias server-cert -keyalg rsa \
     -dname "CN=myhost.example.com,O=Example Company,C=US" \ 
     -keystore config/keystore -storetype JKS

   Change the value of the -dname argument so that it is suitable for your environment:

   • The value of the CN attribute should be the fully-qualified name of the system on which the certificate is being installed.

   • The value of the O attribute should be the name of your company or organization.

   • The value of the C attribute should be the two-character abbreviation for your country.

   You are prompted for a password to protect the contents of the keystore and for a password to protect the private key.

2. Generate a self-signed certificate for the key. For example:

   $ keytool -selfcert -alias server-cert -validity 1825 \ 
      -keystore config/keystore -storetype JKS

   When you are prompted for the keystore password, enter the same password that you provided in the previous step.

3. Create a text file named config/keystore.pin.
4. Export the public key for the certificate that you created. For example:

   $ keytool -export -alias server-cert -file config/server-cert.txt -rfc \
      -keystore config/keystore -storetype JKS

5. Create a new trust store and import the server certificate into that trust store. For example:

   $ keytool -import -alias server-cert -file config/server-cert.txt \
     -keystore config/truststore -storetype JKS

6. Type yes when you are prompted to trust the certificate.

   This step is required only if the SSL and StartTLS settings were not specified during installation, or if you want to change those settings.

7. Use the dsconfig command to enable the key manager provider, trust manager provider, and connection handler. For example:

   $ dsconfig -D "cn=directory manager" -w password -n set-key-manager-provider-prop \
     --provider-name JKS --set enabled:true
   $ dsconfig -D "cn=directory manager" -w password -n set-trust-manager-provider-prop \
     --provider-name "Blind Trust" --set enabled:true
   $ dsconfig -D "cn=directory manager" -w password -n set-connection-handler-prop \
     --handler-name "LDAPS Connection Handler" \
     --set "trust-manager-provider:Blind Trust" --set key-manager-provider:JKS \ 
     --set listen-port:1636 --set enabled:true

   Port 1636 is the standard LDAPS port, but you might not be able to use this port if it is already taken or if you are a regular user. If you need to accept SSL-based connections on a port other than 1636, change the listen-port property in the last command to the port number being used.

8. The server should now have a second listener that accepts SSL-based client connections. Test the configuration with the ldapsearch command, for example:

   $ ldapsearch --port 1636 --useSSL --baseDN "" --searchScope base "(objectClass=*)"

   You are prompted to trust the server's certificate. On typing yes, the root DSE entry should be returned.