The easiest way to get the directory server up and running with SSL, StartTLS, or both, is to use the setup utility in GUI mode. This tool can be used to set up the server after you have downloaded it as a zip file. QuickSetup enables you to use a self-signed certificate, or an existing certificate in a JKS keystore, a PKCS#12 file, or a PKCS#11 token.
To access the SSL and StartTLS configuration, click the Configure button in front of the LDAP Secure Access field. The following dialog is displayed:
The fields on this screen include:
SSL Access — Select this checkbox to indicate that the LDAPS (that is, LDAP over SSL) listener should be enabled. Enter the port number on which the directory server listens for connections.
StartTLS Access — Select this checkbox to configure whether the LDAP connection handler will allow clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure connection.
Certificate — Select one of the following radio buttons to obtain the certificate that the server should use for SSL, StartTLS, or both:
Generate Self-Signed Certificate will generate a self-signed certificate that can be used to secure the communication. While this is convenient for testing purposes, many clients will not trust the certificate by default, and you might need to configure it manually.
Use an Existing Certificate will use a certificate in an existing JKS keystore, a PKCS #12 file, or a PKCS #11 token. For more information about obtaining certificates, see Configuring Key Manager Providers.