Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Portal Server 6.2 Installation Guide

Appendix E
Setting Up the Sun ONE Portal Server to Use Secure External LDAP Directory Server

In the default install, the Sun™ ONE Portal Server, the Sun™ ONE Identity Server, and the Sun™ ONE Directory Server software are all running on the same host. However, depending on the performance, security, and integration requirements of your deployment, you might want to run the directory server on a separate, external host and have the Portal Server access the directory over a secure connection using Secure Sockets Layer (SSL). In order to access the Directory Server over a secure connection, the Sun™ ONE Application Server must be configured to trust the certificate authority that signed the directory’s certificate.

Setting up the Sun ONE Portal Server to use an external LDAP directory, requires the following procedures:

Configuring the Directory Server to Run in SSL

  1. Verify that both the Directory Server (ns-slapd process) and the administration server (ns-httpd process) are started and running.
  2. As root, in a terminal window start the directory server console by typing:

    3. /var/opt/mps/serverroot/startconsole

  3. In the login window that is displayed, enter admin as the user name and the passphrase for the Directory Server.
  4. In the left pane of the console, expand the directory until you see the Directory Server instance under Server Group.
  5. Select Directory Server instance and click Open.
  6. Select Tasks and then Manage Certificates.

    7. The first time you perform this task, you’ll be asked to create a certificate database by entering a password. Make a note of this password as you will need it later to start up the Directory Server.

  7. Click Request.

    8. The Certificate Request Wizard appears. Follow the wizard and complete the steps to generate a certificate request. The request is sent to a Certificate Management Server (CMS) for approval. The CMS returns the real certificate. Save a copy of the certificate request by copying the request data to a file.

  8. After the certificate request is sent to the CMS, have the administrator of the CMS approve the request and send back the approved certificate.
  9. Get the generated certificate for the DS and the CMS certificate.

    10. Since the CMS generated the certificate for DS, the CMS will also have to be trusted by importing its certificate as a root CA.

  10. Select Manage Certificates, Server Certificates and then click Install.

    11. The Certificate Install Wizard appears.

  11. Copy and paste the approved certificate data from Step 8 into the text area and follow the steps of the wizard to install the certificate.

    12. When the certificate is successfully installed, the certificate displays as a line item on the Server Certificates tab.

  12. Select Manage Certificates and CA Certificates, and then click Install.

    13. Copy and paste the CMS certificate data into the text area and follow the steps of the wizard to install the certificate.

  13. Click Close to close the Manage Certificates window.
  14. Select Configuration.
  15. In the right pane, select Settings.
  16. Verify or specify a valid port number in the Encrypted port field and click Save.

    17. The default is 636.

  17. Click Encryption, check the Enable SSL for this server and Use the cipher family: RSA check boxes and click Save.
  18. Restart the Directory Server and supply the certificate database password entered in Step 6.

    19. Your Directory is now listening on port 636 (default) for SSL connections.

Creating a Certificate Database

When you create the certificate database, you specify a password that will be used for a key-pair file. You will also need this password to start a server using encrypted communications. For a list of guidelines to consider when changing a password, see Changing Passwords or PINs.

In the certificate database you create and store the public and private keys, referred to as your key-pair file. The key-pair file is used for SSL encryption. You will use the key-pair file when you request and install your server certificate. The certificate is stored in the certificate database after installation. The key-pair file is stored encrypted in:

The procedure for creating a certificate database depends on the type of web container that you are using. The following instructions are for creating a certificate database on the Sun ONE Web Server and can also be found in Sun ONE Web Server, Enterprise Edition Administrator’s Guide at http://docs.sun.com.

For instructions on creating a certificate database on the Sun ONE Application Server refer to Sun ONE Application Server 7 Administrator’s Guide to Security on http://docs.sun.com.

Creating a Certificate Database

To create a certificate database on the Sun ONE Web Server, perform the following steps:

  1. Access either the Administration Server or the Server Manager and choose the Security tab.

    2. For the Server Manager you must first select the server instance from the drop-down list.

  2. Click on the Create Database link.
  3. Enter a password for the database.
  4. Repeat.
  5. Click OK.
  6. For the Server Manager, click Apply, and then Restart for changes to take effect.

Using the password.conf File

By default, the web server prompts the administrator for the key database password before starting up. If you want to be able to restart an unattended web server, you need to save the password in a password.conf file. Only do this if your system is adequately protected so that this file and the key databases are not compromised.

Normally, you cannot start an Unix SSL-enabled server with the /etc/rc.local or the /etc/inittab files because the server requires a password before starting. Although you can start an SSL-enabled server automatically if you keep the password in plain text in a file, this is not recommended. The server’s password.conf file should be owned by root or the user who installed the server, with only the owner having read and write access to them. On Unix, leaving the SSL-enabled server’s password in the password.conf file is a large security risk. Anyone who can access the file has access to the SSL-enabled server’s password. Consider the security risks before keeping the SSL-enabled server’s password in the password.conf file.

Installing A Root Certificate Authority (CA) Certificate

The procedure for installing a root CA certificate depends on the type of web container that you are using. The following procedure describes how to install a root CA on the Sun ONE Web Server, and can also be found in Sun ONE Web Server, Enterprise Edition Administrator’s Guide at http://docs.sun.com.

For instructions on installing a root CA certificate on the Sun ONE Application Server refer to Sun ONE Application Server 7 Administrator’s Guide to Security on http://docs.sun.com.

  1. Go the Web Server console and click on Install Certificate.
  2. Click on Certificate for this Server.
  3. Enter the Certificate Database password in the Key Pair File Password field.
  4. Paste the certificate into the provided text field, or check the radio button and enter the filename in the text box. Click Submit.

    5. The browser will display the certificate, and provide a button to add the certificate.

  5. Click Install Certificate.
  6. Click Certificate for Trusted Certificate Authority.

Enabling SSL for the Directory Server

To enable SSL for the Directory server, edit the AMConfig.properties file. This step is container independent and must be done for Sun ONE Web Server as well as Sun ONE Application Server.

Change the following settings in the AMConfig.properties file from:

com.iplanet.am.directory.ssl.enabled=false

com.iplanet.am.directory.host=server12.example.com (if it needs to be changed)

com.iplanet.am.directory.port=51389

to

com.iplanet.am.directory.ssl.enabled=true

com.iplanet.am.directory.host=server1.example.com

com.iplanet.am.directory.port=51631 (port on which DS uses encryption)

If you are using the Sun ONE Application Server as your web container, edit the AMConfig.properties file to point to the certificate database path and prefix used by Sun ONE Application Server.

Change the following settings from:

com.iplanet.am.admin.cli.certdb.dir=/opt/SUNWappserver7/SUNWam/servers/alias

com.iplanet.am.admin.cli.certdb.prefix=https-myappserver.example.com-example-

to:

com.iplanet.am.admin.cli.certdb.dir=/var/opt/SUNWappserver7/domains/domain1/\

server1/config

com.iplanet.am.admin.cli.certdb.prefix=

Change the connection port and the connection type values in the serverconfig.XML file to change from open mode to SSL.

Edit the serverconfig.XML file and change the following line from:

  <Server name="Server1" host="gimli.example.com"

port="51389"

type="SIMPLE" />

to:

to

<Server name="Server1" host="gimli.example.com"

port="51636"

type="SSL" />

After making these changes to the configuration files (AMConfig.properties and serverconfig.xml) restart the web container

If using Sun ONE Web Server type:

amserver stop

amserver start

Or use the appropriate method for stopping and starting the application server on which Sun ONE Portal Server is installed.



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.