Chapter 12 Connecting Over SSL

This chapter describes the process of enabling an LDAP client to connect to an LDAP server over the Secure Sockets Layer (SSL) protocol. The chapter covers the procedures for connecting to an LDAP server and authenticating.

• "How SSL Works with the Netscape Directory SDK for Java"
• "Prerequisites for Connecting Over SSL"
• "Connecting to the Server Over SSL"
• "Using Certificate-Based Client Authentication"

• The SSL 3.0 Protocol Specification (http://home.netscape.com/eng/ssl3/ssl-toc.html)

• LDAPSSLSocketFactory

Use this class if you are using the netscape.net.SSLSocket class (which is provided with Netscape Communicator 4.05 and more recent versions) to implement SSL sockets. You can also use this class if the class that implements SSL sockets extends the Socket object.

• LDAPSSLSocketWrapFactory

Use this class if the class that implements SSL sockets does not extend the Socket object. The LDAPSSLSocketWrapFactory class wraps your SSL socket implementation class in a class that does extend the Socket object.

• Your client has access to a Netscape certificate database.

If you are running your client as an applet in a Netscape Navigator browser, you can use this certificate database to determine if you trust the certificate sent from the server.

• The database that you are using contains any one of the following:

• the certificate of the certificate authority (CA) that issued the server's certificate
• if the certificate authorities (CAs) are organized in a hierarchy, the certificate of any of the CAs in the hierarchy
• the certificate of the LDAP server
• The CA certificate is marked as "trusted" in the certificate database.
• If you plan to use certificate-based client authentication, you also need the following:

• a client certificate (issued by a CA trusted by the LDAP server) in the certificate database
• a public/private key pair in a Netscape key file (this can be either the key.db file used by Netscape Navigator or the <alias>-key.db file used by Netscape servers)

1. Construct a new LDAPSSLSocketFactory object or a new LDAPSSLSocketWrapFactory object.

This object represents the SSL socket factory that will be used to create the sockets for establishing connections with the LDAP server.

The constructors for these classes allow you to specify the name of the class that will be used to create the actual sockets.

• For the LDAPSSLSocketFactory constructor, you should specify a class that implements the javax.net.ssl.SSLSocket interface. By default, if you do not specify a class, the netscape.net.SSLSocket class is used. This class is included with Netscape Communicator 4.05.
• If the SSL socket class does not extend the Socket class (for example, if it just extends the Object class), use the LDAPSSLSocketWrapFactory constructor.

1. Pass the object you constructed to the LDAPConnection constructor.

When first establishing a connection to the LDAP server, the makeSocket method of the specified object will be used to construct the socket.

• Your client is an applet running in a Netscape browser.
• Your client is using a class that implements the LDAPSocketFactory interface and supports certificate-based client authentication.

• The LDAPSSLSocketWrapFactory class currently does not support certificate-based client authentication.
• The LDAPSSLSocketFactory class relies on the Netscape browser to support certificate-based client authentication. This class does not support the use of certificates for authentication outside the browser (for example, if your client is a stand-alone Java application).

1. Construct a new LDAPSSLSocketFactory object.
2. Invoke the enableClientAuth method of the object to enable certificate-based client authentication.
3. Pass the object you constructed to the LDAPConnection constructor.