SSL Support (Using LDAP with Java CAPS)

Using LDAP with Java CAPS

SSL Support

By default, communications between the Repository and the LDAP server are unencrypted.

To encrypt communications between the Repository and the LDAP server, make the following additions and modifications to the procedures described earlier in this topic.

Configuring SSL on the LDAP Server

Ensure that the LDAP server is configured to use the Secure Sockets Layer (SSL). For detailed instructions, see the documentation provided with the LDAP server.

In preparation for the next step, export the LDAP server’s certificate to a file.

Importing the LDAP Server’s Certificate

You must add the LDAP server’s certificate to the Repository’s list of trusted certificates. The list is located in a file called cacerts.

In the following procedure, you use the keytool program. This program is included with the Java SDK.

To Import the LDAP Server’s Certificate

Navigate to the JDK-install-dir/jre/bin directory.

Use the JDK that was specified during the installation of the Repository.

Run the following command:
keytool -import -trustcacerts -alias alias -file certificate_filename -keystore cacerts_filename
For the -alias option, you can assign any value.

For the -file option, specify the fully qualified name of the LDAP server’s certificate. For example:
C:\mycertificate.cer
For the -keystore option, specify the fully qualified name of the cacerts file. The cacerts file is located in the JDK-install-dir/jre/lib/security directory. For example:
C:\Java\jdk1.6.0_06\jre\lib\security\cacerts

When prompted, enter the keystore password. The default password is changeit.

When prompted to trust this certificate, enter yes.

The following message appears:
Certificate was added to keystore

Modifying the LDAP Server URL

In the <Realm> element of the server.xml file, modify the URL of the LDAP server as follows:

Set the protocol to ldaps.
Set the port number to the port number that the LDAP server listens on for SSL requests. Typically, this number is 636.

For example:

<Realm className="org.apache.catalina.realm.JNDIRealm"
    connectionURL="ldaps://myldapserver:636"
    ...