Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Getting SSL Up and Running Quickly
To Accept SSL-Based Connections Using a Self-Signed Certificate
Configuring Key Manager Providers
Using the JKS Key Manager Provider
To Sign the Certificate by Using an External Certificate Authority
Using the PKCS #12 Key Manager Provider
Using the PKCS #11 Key Manager Provider
Configuring Trust Manager Providers
Overview of Certificate Trust Mechanisms
Using the Blind Trust Manager Provider
Using the JKS Trust Manager Provider
Using the PKCS #12 Trust Manager Provider
Configuring Certificate Mappers
Using the Subject Equals DN Certificate Mapper
Using the Subject Attribute to User Attribute Certificate Mapper
Using the Subject DN to User Attribute Certificate Mapper
Using the Fingerprint Certificate Mapper
Configuring SSL and StartTLS for LDAP and JMX
Configuring the LDAP and LDAPS Connection Handlers
To Enable a Connection Handler
To Specify a Connection Handler's Listening Port
To Specify a Connection Handler's Authorization Policy
To Specify a Nickname for a Connection Handler's Certificate
To Specify a Connection Handler's Key Manager Provider
To Specify a Connection Handler's Trust Manager Provider
To Enable SSL-Based Communication
Enabling SSL in the JMX Connection Handler
SASL Options for the ANONYMOUS Mechanism
SASL Options for the CRAM-MD5 Mechanism
SASL Options for the DIGEST-MD5 Mechanism
SASL Options for the EXTERNAL Mechanism
SASL Options for the GSSAPI Mechanism
SASL Options for the PLAIN Mechanism
Configuring SASL Authentication
Configuring SASL External Authentication
Configuring SASL DIGEST-MD5 Authentication
Configuring SASL GSSAPI Authentication
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
Troubleshooting Kerberos Configuration
Testing SSL, StartTLS, and SASL Authentication With ldapsearch
ldapsearch Command Line Arguments Applicable To Security
Testing SASL External Authentication
Controlling Connection Access using Allowed and Denied Rules
Configuring Security Between the Proxy and the Data Source
Configuring Servers With the Control Panel
The JKS keystore is the default keystore used by most JSSE implementations, and is the preferred keystore type in many environments. To configure the server to use this keystore type, you must first obtain a JKS keystore that contains a valid certificate. To do this, you can either generate a self-signed certificate or issue a certificate signing request to an existing Certificate Authority (CA) and import the signed certificate.
All of the steps described here require the use of the keytool utility, which is provided with the Java runtime environment. This utility is typically found in the bin directory below the root of the Java installation. For more information about using the keytool utility, see the official Java documentation . The keytool examples in the following sections use the keytool syntax provided with Java 1.5.
Using the JKS key manager provider involves the following:
Generating the private key
Self-signing the certificate, or using an external certificate authority to sign the certificate
Configuring the JKS key manager provider
Whether you use a self-signed certificate or generate a certificate signing request, you must first generate a private key. You can do this using the keytool utility with the -genkey option. The following arguments can be used with this option:
-alias alias. Specifies the name that should be used to refer to the certificate in the keystore. The default name used by server is server-cert.
-keyalg algorithm. Specifies the algorithm that should be used to generate the private key. This should almost always be rsa.
-dname subject. Specifies the subject to use for the certificate. The subject typically contains at least a CN attribute, which is the fully-qualified name of the system on which the certificate will be installed, an O attribute that specifies the name of the organization (or company), and a C attribute that specifies the country in which the certificate will be used.
-keystore path. Specifies the path to the keystore file. The file will be created if it does not already exist. The default keystore path used by the directory server is config/keystore.
-keypass password. Specifies the password that should be used to protect the private key in the keystore. If the password is not provided, you will be prompted for it.
-storepass password. Specifies the password that should be used to protect the contents of the keystore. If the password is not provided, you will be prompted for it. The directory server expects the password used for the -keypass and -storepass options to be the same.
-storetype type. Specifies the keystore type that should be used. For the JKS keystore, the value should always be JKS.
$ keytool -genkey -alias server-cert -keyalg rsa \ -dname "CN=server.example.com,O=example.com,C=US" \ -keystore config/keystore -keypass password \ -storetype JKS -storepass password
If the certificate is to be self-signed, use the -selfcert option. The most important arguments for use with this option include:
-alias alias. Specifies the name that should be used to refer to the certificate in the keystore. This name should be the same as the value used when creating the private key with the -genkey option.
-validity days. Specifies the length of time in days that the certificate should be valid. The default validity is 90 days.
-keystore path. Specifies the path to the keystore file. The file will be created if it does not already exist.
-keypass password. Specifies the password that should be used to protect the private key in the keystore. If this is not provided, then you will be interactively prompted for it.
-storepass password. Specifies the password that should be used to protect the contents of the keystore. If this is not provided, then you will be interactively prompted for it.
-storetype type. Specifies the keystore type that should be used. For the JKS keystore, the value should always be JKS.
$ keytool -selfcert -alias server-cert -validity 1825 \ -keystore config/keystore -keypass password -storetype JKS \ -storepass password
If the certificate is to be signed by an external certificate authority, you must first generate a certificate signing request (CSR) using the -certreq option. The CSR can be submitted to a certificate authority to be signed. The method for doing this, and the method for obtaining the signed certificate, might vary from one certificate authority to another.
When you receive the signed certificate from the Certificate Authority, import it into the keystore with the -import option.
$ keytool -certreq -alias server-cert -file /tmp/server-cert.csr \ -keystore config/keystore -keypass password -storetype JKS \ -storepass password
The arguments used with this command are as follows:
-alias alias. Specifies the name that should be used to refer to the certificate in the keystore. This name should be the same as the value used when creating the private key with the -genkey option.
-file path. Specifies the path to the file to which the CSR should be written. If this is not provided, the request will be written to standard output.
-keystore path. Specifies the path to the keystore file. The file will be created if it does not already exist.
-keypass password. Specifies the password that should be used to protect the private key in the keystore. If this is not provided, you will be interactively prompted for it.
-storepass password. Specifies the password that should be used to protect the contents of the keystore. If this is not provided, you will be interactively prompted for it.
-storetype type. Specifies the keystore type that should be used. For the JKS keystore, the value should always be JKS.
$ keytool -import -alias server-cert -file /tmp/server-cert.cert \ -keystore config/keystore -storetype JKS -storepass password
The arguments used with this command are as follows:
-alias alias. Specifies the name that should be used to refer to the certificate in the keystore. This name should be the same as the value used when creating the private key with the -genkey option.
-file path. Specifies the path to the file containing the signed certificate. The file should be in either the DER-encoded binary format or the base64-encoded ASCII format as described in RFC 1421.
-keystore path. Specifies the path to the keystore file. The file will be created if it doesn't already exist.
-storepass password. Specifies the password that should be used to protect the contents of the keystore. If this is not provided, then you will be interactively prompted for it.
-storetype type. Specifies the keystore type that should be used. For the JKS keystore, the value should always be JKS.
When you have created a JKS keystore containing a signed certificate (whether self-signed or signed by an external CA), you can configure the server to use that keystore by creating a key manager provider entry for that keystore.
This example defines an instance of a file-based key manager provider, using dsconfig to set the properties of the key manager provider. For details about the properties of the key manager provider, see the File Based Key Manager Provider Configuration.
$ dsconfig -D "cn=Directory Manager" -w password -X -n \ set-key-manager-provider-prop --provider-name "JKS" \ --set java-class:org.opends.server.extensions.FileBasedKeyManagerProvider \ --set enabled:true --set "key-store-type:JKS" \ --set "key-store-file:/config/keystore" \ --set "key-store-pin:secret"