Using SSL for LDAP Connections on eGuide
Novell Cool Solutions: Feature
By Nathan Jensen
Digg This -
Posted: 18 Sep 2002
Please be aware that SSL connections are slower than the plain or clear-text connections. You may notice a hit on performance.
Step One: Download and setup the JSSE package from Sun
- Download the JSSE package (http://java.sun.com/products/jsse/).
- Add the JSSE.JAR, JNET.JAR and JCERT.JAR to java's jre/lib/ext folder.
- Set the provider in the security object. This can be done statically in the security.properties file (JDK\jre\security\java.security).
To set this provider statically, find the following line in the security properties file:
Add the following line immediately after:
Step Two: Configure the LDAP server to support SSL
- From within ConsoleOne, open the properties on the "LDAP Server - X" object that represents the LDAP server you will be using with eGuide.
- Select the SSL Configuration Tab.
- For the "SSL Certificate" field, select an "SSL Certificate" object. These objects were created during the install of NetWare and/or eDirectory.
- Make note of the SSL Port, typically 636.
- Make sure the "Disable SSL Port" option is not checked.
- Once the settings are saved, "Refresh the NLDAP Server" by opening the properties of the LDAP Server and press the "Refresh NLDAP Server Now" button on the "General" page.
Step Three: Export the Trusted Root Certificate
- Open the properties on the SSL certificate object previously configured for the LDAP Server.
- Select the "Certificates" tab
- Select the "Trusted Root Certificate" sub-tab
- Press "Export" and save the file in "binary DER format", typically named "TrustedRootCert.der".
Step Four: Import the Trusted Root Certificate into your cacerts or jssecacerts trust store file
- Find the cacerts or jssecacerts file. It is located in the "lib\security" folder relative to your Java home folder.
- Find "keytool". It is located in the "bin" folder relative to your Java home folder. You must use keytool that comes with JVM 1.3 or newer, keytool that comes with JVM 1.2.2 or older does not work.
- Run the following command: "keytool -import -alias aliasName -file TrustedRootCert.der -keystore cacerts -storepass changeit". Replace aliasName with a unique name for this certificate. Make sure the full path for cacerts is specified and the full path for TrustedRootCert.der. Note: "changeit" is the default keystore password. Use the appropriate keystore password if it has been changed.
Step Five: Configure eGuide to use SSL:
- Enter the Administration utility by logging into eGuide and selecting the eGuide Administration button.
- Select Directories under Configuration and select the Directory to edit.
- Select the Enable SSL checkbox and set the Secure Port number to correspond to the SSL port on your LDAP server, typically port 636.
Note: If things are not configured correctly you will likely get an error message or hang when saving the settings on the LDAP settings page. For example, if you try to talk, using a plain socket, to an SSL port, your setup will hang. If you try to talk SSL to a port expecting a plain connection, your setup will hang. If that happens, you will have to unload the JVM and re-check your settings. The hang is, as Sun documents, "a characteristic of the SSL protocol." Sorry.