Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Getting SSL Up and Running Quickly
Configuring Key Manager Providers
Using the JKS Key Manager Provider
To Sign the Certificate by Using an External Certificate Authority
To Configure the JKS Key Manager Provider
Using the PKCS #12 Key Manager Provider
Using the PKCS #11 Key Manager Provider
Configuring Trust Manager Providers
Overview of Certificate Trust Mechanisms
Using the Blind Trust Manager Provider
Using the JKS Trust Manager Provider
Using the PKCS #12 Trust Manager Provider
Configuring Certificate Mappers
Using the Subject Equals DN Certificate Mapper
Using the Subject Attribute to User Attribute Certificate Mapper
Using the Subject DN to User Attribute Certificate Mapper
Using the Fingerprint Certificate Mapper
Configuring SSL and StartTLS for LDAP and JMX
Configuring the LDAP and LDAPS Connection Handlers
To Enable a Connection Handler
To Specify a Connection Handler's Listening Port
To Specify a Connection Handler's Authorization Policy
To Specify a Nickname for a Connection Handler's Certificate
To Specify a Connection Handler's Key Manager Provider
To Specify a Connection Handler's Trust Manager Provider
To Enable SSL-Based Communication
Enabling SSL in the JMX Connection Handler
SASL Options for the ANONYMOUS Mechanism
SASL Options for the CRAM-MD5 Mechanism
SASL Options for the DIGEST-MD5 Mechanism
SASL Options for the EXTERNAL Mechanism
SASL Options for the GSSAPI Mechanism
SASL Options for the PLAIN Mechanism
Configuring SASL Authentication
Configuring SASL External Authentication
Configuring SASL DIGEST-MD5 Authentication
Configuring SASL GSSAPI Authentication
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
Troubleshooting Kerberos Configuration
Testing SSL, StartTLS, and SASL Authentication With ldapsearch
ldapsearch Command Line Arguments Applicable To Security
Testing SASL External Authentication
Controlling Connection Access using Allowed and Denied Rules
Configuring Security Between the Proxy and the Data Source
Configuring Servers With the Control Panel
This procedure assumes the following:
Sun OpenDS Standard Edition is installed on the system on which you are working.
The Java keytool utility is in your path. If it is not, either add it to your path or provide the complete path to it when invoking the commands.
The administration connector is listening on the default port (4444) and the dsconfig command is accessing the server running on the local host. If this is not the case, the --port and --hostname options must be specified.
For example:
$ keytool -genkey -alias server-cert -keyalg rsa \ -dname "CN=myhost.example.com,O=Example Company,C=US" \ -keystore config/keystore -storetype JKS
-alias alias. Specifies the name that should be used to refer to the certificate in the keystore. The default name used by the server is server-cert.
-keyalg algorithm. Specifies the algorithm that should be used to generate the private key. This should almost always be rsa.
-dname subject. Specifies the subject to use for the certificate.
Change the value of the -dname argument so that it is suitable for your environment:
The value of the CN attribute should be the fully-qualified name of the system on which the certificate is being installed.
The value of the O attribute should be the name of your company or organization.
The value of the C attribute should be the two-character abbreviation for your country.
-keystore path. Specifies the path to the keystore file. The file will be created if it does not already exist. The default keystore path used by the server is config/keystore.
-keypass password. Specifies the password that should be used to protect the private key in the keystore. If the password is not provided, you will be prompted for it.
-storepass password. Specifies the password that should be used to protect the contents of the keystore. If the password is not provided, you will be prompted for it. The server expects the password used for the -keypass and \-storepass options to be the same.
-storetype type. Specifies the keystore type that should be used. For the JKS keystore, for example, the value should always be JKS.
You are prompted for a password to protect the contents of the keystore and for a password to protect the private key.
For example:
$ keytool -selfcert -alias server-cert -validity 1825 \ -keystore config/keystore -storetype JKS
-alias alias. Specifies the name that should be used to refer to the certificate in the keystore. This name should be the same as the value used when creating the private key with the -genkey option.
-validity days. Specifies the length of time in days that the certificate should be valid. The default validity is 90 days.
-keystore path. Specifies the path to the keystore file. The file will be created if it does not already exist.
-keypass password. Specifies the password that should be used to protect the private key in the keystore. If this is not provided, then you will be interactively prompted for it.
-storepass password. Specifies the password that should be used to protect the contents of the keystore. If this is not provided, then you will be interactively prompted for it.
-storetype type. Specifies the keystore type that should be used. For the JKS keystore, the value should always be JKS.
When you are prompted for the keystore password, enter the same password that you provided in the previous step.
The file must contain the password that you chose to protect the contents of the keystore. If you change this file, remember that it must match the keystore manager configuration. If you decide to create a file with a different name, for example, the corresponding keystore manager's key-store-file property for JKS must match the path and file name.
For example:
$ keytool -export -alias server-cert -file config/server-cert.txt -rfc \ -keystore config/keystore -storetype JKS
For example:
$ keytool -import -alias server-cert -file config/server-cert.txt \ -keystore config/truststore -storetype JKS
This step is required only if the SSL and StartTLS settings were not specified during installation, or if you want to change those settings.
For example:
$ dsconfig -D "cn=directory manager" -w password -n set-key-manager-provider-prop \ --provider-name JKS --set enabled:true $ dsconfig -D "cn=directory manager" -w password -n set-trust-manager-provider-prop \ --provider-name "Blind Trust" --set enabled:true $ dsconfig -D "cn=directory manager" -w password -n set-connection-handler-prop \ --handler-name "LDAPS Connection Handler" \ --set "trust-manager-provider:Blind Trust" --set key-manager-provider:JKS \ --set listen-port:1636 --set enabled:true
Port 1636 is the standard LDAPS port, but you might not be able to use this port if it is already taken or if you are a regular user. If you need to accept SSL-based connections on a port other than 1636, change the listen-port property in the last command to the port number being used.
If, in step 3, you created a text file with a location and name other than that config/keystore.pin, for example a text file called config/mykeystore.pin, specify that information as follows:
$ dsconfig -D "cn=directory manager" -w password -n set-key-manager-provider-prop \ --provider-name JKS --set enabled:true --set keystore-pin-file:/config/mykeystore.pin
For detailed information about keystores, see Configuring Key Manager Providers. For detailed information about truststores, see Configuring Trust Manager Providers.
$ ldapsearch --port 1636 --useSSL --baseDN "" --searchScope base "(objectClass=*)"
You are prompted to trust the server's certificate. On typing yes, the root DSE entry should be returned.