How to: |
Before you create a LDAP over SSL (LDAPS) connection using the iWay Application Protocol Adapter for LDAP, the certificate for the LDAP Server (Active Directory Server, Open LDAP, or other type) must first be installed as a trusted certificate in the Java keystore.
By default, the Java Runtime Environment (JRE) maintains a Common Access Card (CAC) keystore, which is called cacerts, in the JAVA_HOME\jre\lib\security directory.
where:
Is the name of the LDAP Server.
Is the root installation directory of your Java Runtime Environment (JRE).
keytool -import -trustcacerts -alias servername -file servername.crt -keystore cacerts
where:
Is the name of the LDAP Server.
You are prompted for the keystore password.
A message is displayed indicating that the certificate was successfully added to the keystore.
For more information on obtaining a certificate from Microsoft Active Directory, see the following web site:
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
If the location of this online document should change or the link is invalid, go to http://technet.microsoft.com and search for a document called LDAP over SSL (LDAPS) Certificate.
Secure LDAP on other platforms may require the installation of OpenSSL or other operating system packages. Consult the vendor for the instructions on when the certificate is installed and how to acquire a client copy of the server's certificate.
The other option that is available to all users is a third-party signing authority that provides a certificate for the link between the parties. For more information, see the Transport Layer Security topic on the following website:
As an alternative to the previous procedure, you can configure your Java Runtime Environment (JRE) to use a specific (user-created) keystore file.
-Djavax.net.ssl.keyStorePassword = changeit -Djavax.net.ssl.keyStore = c:/iway7/servername.jks -Djavax.net.ssl.trustStore = c:/iway7/servername.jks
where:
Is the name of the LDAP Server.
The following list describes the specific keys you must set in more detail:
For more information on using the Java keytool, see the following web site:
http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html
If the location of this online document should change or the link is invalid, go to http://docs.oracle.com and search for a document called keytool - Key and Certificate Management Tool.
It is also important to know the format of the certificate used for authentication, since not all tools and methods accept all formats. If you are using a Windows platform, see the following web site:
http://technet.microsoft.com/en-us/library/cc770735(v=ws.10).aspx
If the location of this online document should change or the link is invalid, go to http://technet.microsoft.com and search for a document called Certificate File Formats.
If you are using OpenSSL or other products for Linux, UNIX, or other operating systems, see the following web site for more information on certificate management with OpenSSL:
http://gagravarr.org/writing/openssl-certs/general.shtml
It may also be necessary to convert certificate file formats if the certificate type provided to you by the certificate authority is not the type you are using in your SSL certificate store.