Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Portal Server 6 2005Q1 Administration Guide 

Chapter 4
Setting Up the Portal Server to Use Secure External LDAP Directory Server

In the default install, the Sun Java™ System Portal Server, the Sun Java™ System Access Manager, and the Sun Java™ System Directory Server software are all running on the same host. However, depending on the performance, security, and integration requirements of your deployment, you might want to run the directory server on a separate, external host and have the Portal Server access the directory over a secure connection using Secure Sockets Layer (SSL). In order to access the Directory Server over a secure connection, the Sun Java™ System Web Server or Sun Java™ System Application Server must be configured to trust the certificate authority that signed the directory’s certificate.

Setting up the Sun Java System Portal Server to use an external LDAP directory, requires the following procedures:

To Configure the Directory Server to Run in SSL

  1. Verify that both the Directory Server (ns-slapd process) and the administration server (ns-httpd process) are started and running.
  2. As root, in a terminal window start the directory server console by typing:

    3. /var/opt/mps/serverroot/startconsole

  3. In the login window that is displayed, enter admin as the user name and the passphrase for the Directory Server.
  4. In the left pane of the console, expand the directory until you see the Directory Server instance under Server Group.
  5. Select Directory Server instance and click Open.
  6. Select Tasks and then Manage Certificates.

    7. The first time you perform this task, you’ll be asked to create a certificate database by entering a password. Make a note of this password as you will need it later to start up the Directory Server.

  7. Click Request.

    8. The Certificate Request Wizard appears. Follow the wizard and complete the steps to generate a certificate request. The request is sent to a Certificate Management Server (CMS) for approval. The CMS returns the real certificate. Save a copy of the certificate request by copying the request data to a file.

  8. After the certificate request is sent to the CMS, have the administrator of the CMS approve the request and send back the approved certificate.
  9. Get the generated certificate for the DS and the CMS certificate.

    10. Since the CMS generated the certificate for DS, the CMS will also have to be trusted by importing its certificate as a root CA.

  10. Select Manage Certificates, Server Certificates and then click Install.

    11. The Certificate Install Wizard appears.

  11. Copy and paste the approved certificate data from Step 8 into the text area and follow the steps of the wizard to install the certificate.

    12. When the certificate is successfully installed, the certificate displays as a line item on the Server Certificates tab.

  12. With the Manage Certificates window open, select the CA Certificates tab.

    13. If the CA from which you got your certificate in Step 9 is in the CA certs list, you do not need to install the certificate in that list.

    If the certificate is not in the list, you need to obtain the root CA certificate from your certificate authority and install it.

    1. Click Install.
    2. Copy and paste the CMS certificate data into the text area and follow the steps of the wizard to install the certificate.

      3. The certificate name should appear in the CA certs list.

  13. Click Close to close the Manage Certificates window.
  14. Select the Configuration tab.
  15. Click the Encryption tab, check the Enable SSL for this server and Use the cipher family: RSA check boxes and click Save.
  16. On the Network tab verify or specify a valid port number in the Encrypted port field on the and click Save.

    17. The default port is 636.

  17. Restart the Directory Server and supply the certificate database password entered in Step 6.

    18. Your Directory is now listening on port 636 (default) for SSL connections.

To Create a Trust Database

When you create the trust database, you specify a password that will be used for a key-pair file. You will also need this password to start a server using encrypted communications.

In the certificate database you create and store the public and private keys, referred to as your key-pair file. The key-pair file is used for SSL encryption. You will use the key-pair file when you request and install your server certificate. The certificate is stored in the certificate database after installation.

The procedure for creating a certificate database depends on the type of web container that you are using. The following instructions are for creating a certificate database on the Sun Java System Application Server and can also be found in Sun Java System Application Server Administration Guide to Security on http://docs.sun.com.

Instructions on creating a certificate database on the Sun Java System Web Server can be found in Sun Java system Web Server, Enterprise Edition Administration Guide at http://docs.sun.com.

For instructions on To create a certificate database on the Sun Java System Application Server, perform the following steps in the administration interface:

  1. Make sure the Application Server instance is started.
  2. Access App Server Instances and select the server instance.
  3. Access Security.
  4. Click Manage Database.
  5. Click the Create Database link.

    6. The Initialize Trust Database page is displayed.

  6. Enter a password for the database.
  7. Repeat the password.
  8. Click OK.
  9. Access App Server Instances and your server instance in the left pane, then click Apply Changes.
  10. Stop and restart the server for changes to take effect.

To Use the password.conf File

If you want an SSL/TLS-enabled Sun Java System Application Server to be able to restart unattended when configured for SSL, you can save the trust database password in a password.conf file.

Note

Be sure that your system is adequately protected so that this file and the key databases are not compromised.

Further information on the password.conf file can be found in Using the password.conf File, in the Sun Java System Application Server Administrator s Configuration File Reference.

Normally, you cannot start a Unix SSL-enabled server with the /etc/rc.local or the /etc/inittab files because the server requires a password before starting. Although you can start an SSL-enabled server automatically if you keep the password in plain text in a file, this is not recommended. The server’s password.conf file should be owned by root or the user who installed the server, with only the owner having read and write access to them. On Unix, leaving the SSL-enabled server’s password in the password.conf file is a large security risk. Anyone who can access the file has access to the SSL-enabled server’s password. Consider the security risks before keeping the SSL-enabled server’s password in the password.conf file.

To Install A Root Certificate Authority (CA) Certificate

The procedure for installing a root CA certificate depends on the type of web container that you are using.

The following procedure describes how to install a root CA on the Sun Java System Application Server and can also be found in Sun Java System Application Server Administration Guide to Security on http://docs.sun.com.

Instruction for installing a Root CA on the Sun Java System Web Server can be found in Sun Java System Web Server, Enterprise Edition Administration Guide at http://docs.sun.com.

The source that provided your certificate is the same source from which you obtain your root CA certificate.

To install a certificate from a CA, perform the following steps in the Administration interface:

  1. Access App Server Instances and select the server instance in the left pane.
  2. Access Security.
  3. Select Certificate Management.
  4. Click the Install link.

    5. The Install a Server Certificate is displayed.

  5. Select Trusted Certificate Authority (CA) for a certificate of a CA that you want to accept as a trusted CA for client authentication
  6. Select the cryptographic module from the drop-down list.
  7. Enter the password for your key-pair file.
  8. Leave the name for the certificate field blank if it will be the only one used for this server instance, unless:
    • Multiple certificates will be used for virtual servers. In this case, enter a certificate name unique within the server instance.
    • Cryptographic modules other than internal are used. In this case, enter a certificate name unique across all server instances within a single cryptographic module.

      • If a name is entered, it will be displayed in the Manage Certificates list, and should be descriptive. For example, United States Postal Service CA is the name of a CA, while VeriSign Class 2 Primary CA describes both a CA and the type of certificate.

      Note

      When no certificate name is entered, the default value is applied.

  9. Select one:
    • Message is in this file. In this case, enter the full pathname to the saved email.
    • Message text (with headers). In this case, paste the email text. If you copy and paste the text, be sure to include the headers Begin Certificate and End Certificate, including the beginning and ending hyphens.
  10. Click OK.
  11. Select Add Certificate to install a new certificate.
  12. Access App Server Instances and your server instance in the left pane, then click Apply Changes.
  13. Stop and restart the server for changes to take effect. The certificate is stored in the server s certificate database. The file name will be cert8.db.

To Enable Access Manager to use SSL to Communicate with the Directory Server

To enable SSL for the Directory server, edit the /etc/opt/SUNWam/config/AMConfig.properties file. This step is container independent and must be done for Sun Java System Web Server as well as Sun Java System Application Server.

Change the following settings in the AMConfig.properties file from:

com.iplanet.am.directory.ssl.enabled=false

com.iplanet.am.directory.host=server12.example.com (if it needs to be changed)

com.iplanet.am.directory.port=389

to

com.iplanet.am.directory.ssl.enabled=true

com.iplanet.am.directory.host=server1.example.com

com.iplanet.am.directory.port=636 (port on which DS uses encryption)

Change the connection port and the connection type values in the AccessManager-base/SUNWam/config/ums/serverconfig.xml file to change from open mode to SSL.

Edit the serverconfig.XML file and change the following line from:

  <Server name="Server1" host="gimli.example.com"

port="389"

type="SIMPLE" />

to:

to

<Server name="Server1" host="gimli.example.com"

port="636"

type="SSL" />

After making these changes to the serverconfig.xml file restart the web container.



Previous      Contents      Index      Next     

Copyright 2005 Sun Microsystems, Inc. All rights reserved.