Configuring Security Between the Proxy and Data Source Using dsconfig

The dsconfig tool accesses the server over a secured connection with certificate authentication. If you run dsconfig in non-interactive mode, as dsconfig –n, specification of the trust store parameters depends on whether you run the command locally or remotely. For more information on running the command locally or remotely, see Overview of the dsconfig Command.

To Configure Security Between the Proxy and Directory Servers Using dsconfig

This task highlights the main steps to take to configure security for connections to remote LDAP servers. Where the process is similar to that provided for configuring security between Sun OpenDS Standard Edition proxy and the client, pointers are given to the related procedure.

1. If the remote LDAP servers do not require client authentication to be passed from the proxy, proceed directly to step 2.

   If the remote LDAP servers require client authentication to be passed from Sun OpenDS Standard Edition proxy, perform the following sub-steps:

   1. Configure a keystore for remote LDAP server connections.

      To do this, on the Sun OpenDS Standard Edition proxy, generate a certificate using the Java keytool. The keystore must be configured manually. For details, see Configuring Key Manager Providers.

      Self-sign the certificate or have the certificate signed by an external certificate authority. For details, see Configuring Key Manager Providers.

   2. Configure a key manager provider on the proxy for the keystore for remote LDAP server connections.

      For details, see Configuring Key Manager Providers. This key manager provider can be separate to that used for handling secure connections to clients.

   3. If the remote LDAP servers require client authentication, the certificate of the proxy must be imported into the truststore of each remote LDAP server.

      For the importing and exporting of certificates, for remote LDAP servers running the OpenDS software, see Configuring Key Manager Providers.

2. For the proxy to establish secure connections with the remote LDAP servers, configure a truststore.

   All remote LDAP servers requiring a secure connection need to have their certificates imported into the Sun OpenDS Standard Edition proxy truststore. All of these remote LDAP server certificates can be imported into a single Sun OpenDS Standard Edition proxy truststore or distributed among multiple Sun OpenDS Standard Edition proxy truststores. You can have as many Sun OpenDS Standard Edition proxy truststores as there are remote LDAP server certificates to be imported.

   An LDAP proxy extension targeting a secured connection to a remote LDAP data source must reference in its configuration the appropriate truststore manager. This enables the LDAP proxy extension to access the imported remote LDAP server certificate, to accept the secure connection.

3. Each truststore requires a Sun OpenDS Standard Edition proxy trust manager provider.

   To list Sun OpenDS Standard Edition proxy trust manager providers, use the dsconfig list-trust-manager-providers command. For example:

   $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w password -X -n \
   list-trust-manager-providers

   To create a Sun OpenDS Standard Edition proxy trust manager provider, use the dsconfig create-trust-manager-provider command. For example:

   $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w password -X -n \
   create-trust-manager-provider \
   --provider-name Backend\ Servers \
   --type file-based --set enabled:true \
   --set trust-store-file:/localhost/VDP1.0/config/backend-servers-truststore \
   --set trust-store-type:JKS \
   --set trust-store-pin-file:/installPath/VDP1.0/config/backend-servers-truststore.pin

4. Import the certificates of the remote LDAP servers into the proxy truststore.

Configurable LDAP Extension Properties Relevant to Security

When managing connections to remote LDAP servers using dsconfig, a number of configurable LDAP Extension security connection properties are available. For information about managing LDAP extensions, see Configuring an LDAP Proxy. Configurable properties that either directly or indirectly relate to security considerations include the following:

remote-ldap-server-ssl-policy

This important value governs the overall security mode of the connections between the Sun OpenDS Standard Edition proxy and remote LDAP servers. Its use is covered in the section Modes of Secure Connection.

pool-increment

If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the incremental change of size of each pool is set to pool-increment. For more information on this property, see Viewing LDAP Proxy Element Properties.

pool-initial-size

If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the initial size, and minimum size, of each pool is set to pool-initial-size. In this case, therefore, there will initially be twice the total number of connections indicated in pool-initial-size. For details, see Modes of Secure Connection.

pool-max-size

If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the maximum size of each pool is set to pool-max-size.

The default value is 1000 connections. For more information on this property, see Viewing LDAP Proxy Element Properties.

remote-ldap-server-ssl-port

The port number for SSL connections from Sun OpenDS Standard Edition proxy to the remote LDAP server.

ssl-client-alias

When a keystore is created for client authentication, several keys can be stored in it. Use this property to specify which key to use. For more information about keystores, see Getting SSL Up and Running Quickly. See also Configuring Key Manager Providers.

ssl-key-manager-provider

Specifies a key manager provider to use for the LDAP Server Extension. The key manager provider is not mandatory and can be used if the remote LDAP server is configured for client authentication. The referenced key manager provider must be enabled. For more information about key manager providers, see Configuring Key Manager Providers.

ssl-trust-all

If this parameter is set to true, all remote LDAP servers are trusted. The default value is false. Setting this value to true avoids having to import certificates from remote LDAP servers but is insecure.

Note that although the interactive dsconfig --advanced command offers Blind Trust as a possible trust manager provider, Blind Trust is not supported for this release of the Sun OpenDS Standard Edition proxy. Instead, if you want to avoid the import of certificates, set the ssl-trust-all parameter to true. This presents an insecure deployment and is not recommended for production environments, only for testing purposes.

If the remote-ldap-server-ssl-policy is set to never, then the value of the ssl-trust-all parameter is irrelevant. All connections between the Sun OpenDS Standard Edition proxy will be insecure (unencrypted) in this case. For more information on the remote-ldap-server-ssl-policy, see Modes of Secure Connection.

ssl-trust-manager-provider

Specifies which trust manager provider to use for the LDAP Server Extension. The trust manager provider is mandatory unless the ssl-trust-all parameter is set to true. The referenced trust manager provider must be enabled.