iWay Application Protocol Adapter for LDAP User's Guide > Initializing a Secure Connection to an LDAP Server > Installing a Secure Certificate for an LDAP Server

Installing a Secure Certificate for an LDAP Server

How to:

Before you create a LDAP over SSL (LDAPS) connection using the iWay Application Protocol Adapter for LDAP, the certificate for the LDAP Server (Active Directory Server, Open LDAP, or other type) must first be installed as a trusted certificate in the Java keystore.

Procedure: How to Add a Certificate to the Java Keystore File

By default, the Java Runtime Environment (JRE) maintains a Common Access Card (CAC) keystore, which is called cacerts, in the JAVA_HOME\jre\lib\security directory.

  1. Copy the servername.crt file to the JAVA_HOME\jre\lib\security directory.

    where:

    servername

    Is the name of the LDAP Server.

    JAVA_HOME

    Is the root installation directory of your Java Runtime Environment (JRE).

  2. Open a command prompt window as an Administrator and navigate to the JAVA_HOME\jre\lib\security directory.
  3. Execute the following command:
    keytool -import -trustcacerts -alias servername -file servername.crt -keystore cacerts

    where:

    servername

    Is the name of the LDAP Server.

    You are prompted for the keystore password.

  4. Type changeit and press Enter.
    You are prompted whether you want to trust this certificate.
  5. Type yes and press Enter.

    A message is displayed indicating that the certificate was successfully added to the keystore.

    For more information on obtaining a certificate from Microsoft Active Directory, see the following web site:

    http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

    If the location of this online document should change or the link is invalid, go to http://technet.microsoft.com and search for a document called LDAP over SSL (LDAPS) Certificate.

    Secure LDAP on other platforms may require the installation of OpenSSL or other operating system packages. Consult the vendor for the instructions on when the certificate is installed and how to acquire a client copy of the server's certificate.

    The other option that is available to all users is a third-party signing authority that provides a certificate for the link between the parties. For more information, see the Transport Layer Security topic on the following website:

    http://en.wikipedia.org/wiki/Transport_Layer_Security

Procedure: How to Enable a Specific Keystore File With Java

As an alternative to the previous procedure, you can configure your Java Runtime Environment (JRE) to use a specific (user-created) keystore file.

  1. Copy the keystore file to a location on your file system (for example, c:\iway7).
  2. Set the following Java system properties:
    -Djavax.net.ssl.keyStorePassword = changeit
-Djavax.net.ssl.keyStore = c:/iway7/servername.jks
-Djavax.net.ssl.trustStore = c:/iway7/servername.jks

    where:

    servername

    Is the name of the LDAP Server.

    The following list describes the specific keys you must set in more detail:

    • javax.net.ssl.keyStorePassword. Password to access the private key from the keystore file specified by javax.net.ssl.keyStore. This password is used twice, to unlock the keystore file (store password), and to decrypt the private key stored in the keystore (key password).
    • javax.net.ssl.keyStore. Location of the Java keystore file containing a certificate and private key of an application process. On Windows, the specified path name must use forward slash characters (/), in place of back slash characters (\).
    • javax.net.ssl.trustStore. Location of the Java keystore file containing the collection of CA certificates trusted by this application process (trust store). On Windows, the specified path name must use forward slash characters (/), in place of back slash characters (\).

Reference: Additional Considerations and Online Resources

For more information on using the Java keytool, see the following web site:

http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

If the location of this online document should change or the link is invalid, go to http://docs.oracle.com and search for a document called keytool - Key and Certificate Management Tool.

It is also important to know the format of the certificate used for authentication, since not all tools and methods accept all formats. If you are using a Windows platform, see the following web site:

http://technet.microsoft.com/en-us/library/cc770735(v=ws.10).aspx

If the location of this online document should change or the link is invalid, go to http://technet.microsoft.com and search for a document called Certificate File Formats.

If you are using OpenSSL or other products for Linux, UNIX, or other operating systems, see the following web site for more information on certificate management with OpenSSL:

http://gagravarr.org/writing/openssl-certs/general.shtml

It may also be necessary to convert certificate file formats if the certificate type provided to you by the certificate authority is not the type you are using in your SSL certificate store.