Listed are the additional notes for the following Security/SSL section properties:
Make sure that the SSL properties, including security certificate installation, port number, and so on, are set correctly for the current LDAP server.
Transport Layer Security (TLS) is a protocol that guarantees privacy and data integrity between client/server applications communicating over the Internet. The TLS operation for this Adapter supports both secure and nonsecure communication on the same connection.
However, some LDAP servers are required to start on a configured nonsecure port and cannot start on a secure port. For details, see the appropriate documentation for the LDAP server.
TLS on Demand: A feature of LDAP version 3 (StartTLS extended operation), which is supported in Java SDK version 1.4 and later. Selecting this option allows you to establish an SSL connection on demand programmatically.
If you are using the TLS on Demand option, the ProviderURL property must point to a nonsecure LDAP port (the default is 389).
After selecting this option, whenever secure communication is required, you must place any method call to the LDAP server between startTLS and stopTLS calls, which can be accessed through the LDAP OTD.
In the following example, the call to performAddEntry goes through a secure communication channel, but the call to performRename goes through a nonsecure plain-communication channel:
startTLS(); performAddEntry(); stopTLS(); performRename(); |
Make sure that the TLS settings (in addition to the SSL settings) are configured correctly for the current LDAP server.
Using the stopTLS method may cause unexpected behavior with some LDAP servers. You may need to remove the use of this method in your Collaboration Definitions. For example, you cannot use the stopTLS method when connecting to a Sun ONE Directory server. For details, see the appropriate documentation for the LDAP server.
Active Directory does not release the context, when you iteratively add a single attribute with multiple values using TLS connection. But, with the workaround of starting the TLS, adding the attribute operations and then stopping the TLS will release the context.
For information on how to use this feature with the LDAP OTD, see TLSExtension Node.
Under some circumstances, you can get different Java exceptions, depending on whether you set this property to True or False. This section explains what causes these exceptions.
For example, suppose the host name in the URL is localhost, and the host name in the server certificate is localhost.stc.com. Then, the following conditions apply:
If Verify hostname is set to False:
Host name checking between the requested URL and the server certificate is turned off.
You can use an incomplete domain host name, for example, https://localhost:444, or a complete domain host name, for example, https://localhost.stc.com:444, and get a positive response in each case.
If Verify hostname is set to True:
Host name checking between the requested URL and the server certificate is turned on.
If you use an incomplete domain host name, for example, https://localhost:444, you can get the exception java.io.IOException: HTTPS hostname wrong.
You must use a complete domain host name, for example, https://localhost.stc.com:444.
If the Java SDK version used by the Application Server and the corresponding Application Server property setting do not match, you can get the exception java.lang.ClassCastException.
Where to Go Next
Configuring MSMQ Adapter Inbound Connectivity Map Properties.
Related Topics