Using LDAP Over SSL (LDAPS)

This section provides an overview of SSL and discusses SSL between PeopleSoft and LDAP.

SSL is a protocol developed by Netscape that defines an interface for data encryption between network nodes. To establish an SSL-encrypted connection, the nodes must complete the SSL handshake. These are the simplified steps of the SSL handshake:

  1. Client sends a request to connect.

  2. Server responds to the connect request and sends a signed certificate.

  3. Client verifies that the certificate signer is in its acceptable certificate authority (CA) list.

  4. Client generates a session key to be used for encryption and sends it to the server encrypted with the server’s public key (from the certificate received in Step 2).

  5. Server uses its private key to decrypt the client generated session key.

Establishing an SSL connection requires two certificates: one containing the public key of the server (server certificate or public key certificate) and another to verify the CA that issued the server certificate (trusted root certificate). The server needs to be configured to issue the server certificate when a client requests an SSL connection, and the client needs to be configured with the trusted root certificate of the CA that issued the server certificate.

The nature of those configurations depends on both the protocol being used and the client and server platforms. In most cases, you replace HTTP with LDAP. SSL is a lower level protocol than the application protocol, such as HTTP or LDAP. SSL works the same regardless of the application protocol. To connect to a directory server over LDAPS from a PeopleSoft application, SSL has to be configured in the directory server and PeopleSoft application.

Note: Establishing LDAPS is not related to web server certificates or certificates used with PeopleSoft integration.

You can use LDAP Business Interlink to establish a secure LDAP connection between the application server and the LDAP server. To establish the secure connection between the PeopleSoft application server and the LDAP server you will need the following certificates:

  • A server certificate for the LDAP server.

  • The trusted root certificate from the CA that issues the server certificate.

Installing and Removing Root CA Certificates in PeopleSoft Databases

To install Root CA Certificates into PeopleSoft databases:

  1. Select PeopleTools > Security > Digital Certificates.

    The list of installed certificates appears.

  2. Click the insert row button (+) in the last row of the displayed certificates.

    A blank row appears.

  3. Select Root CA from the Type drop-down list box.

  4. Enter a meaningful name as the alias of this certificate in the Alias field.

  5. Click the Issuer Alias field prompt button.

    The name of the Alias automatically populates the Issuer Alias field.

  6. Click the Add Root link.

    The Add Root Certificate page appears. Minimize the browser window.

  7. Open the root CA certificate with a text editor and copy the contents.

  8. Maximize the browser and paste the contents into the text box.

  9. Click the OK button to see the new digital certificate.

  10. Reboot the application server.

To remove root CA certificates from PeopleSoft databases:

  1. Select PeopleTools > Security > Digital Certificates.

    The list of installed certificates appears.

  2. Click the delete row (–) button in the row of the certificate you want to remove.

    A Delete Confirmation message box appears.

  3. Click the OK button to confirm the deletion.

  4. Reboot the application server.

Enabling LDAP Authentication Over SSL in PeopleSoft Applications

To enable LDAP authentication over SSL in PeopleSoft applications:

  1. Follow the documentation for your directory server to add the server certificate to your directory server.

  2. Install the root CA certificate into the PeopleSoft database.

  3. Select PeopleTools > Security > Directory > Configure Directory > Directory Setup to access the Directory Setup page.

    The SSL Port field must reflect the correct LDAPS port for the directory server.

  4. Click the Test Connectivity tab.

    You must see SUCCESS for the SSL transactions to work. If you see FAILURE here, the LDAP authentication will not succeed over SSL.

  5. Select PeopleTools > Security > Directory > Authentication Map to access the Authentication Map page, and select the Use Secure Sockets Layer check box.

  6. Enable the LDAP_AUTHENTICATION Signon PeopleCode.

    See Enabling Signon PeopleCode.

  7. Reboot the application server.