The driver uses the LDAP protocol to communicate with the LDAP server. Most LDAP servers allow non-encrypted (clear-text) connections. Additionally, when configured correctly, some LDAP servers allow SSL-encrypted connections. SSL connections encrypt all traffic on the TCP/IP socket by using a public/private key pair. The actual LDAP protocol doesn’t change, but the communication channel performs the encryption.
The procedure for enabling SSL connections differs slightly from one LDAP server to another. This document covers the process for enabling SSL connections when using Netscape Directory Server 4.12.
If you are using another LDAP server, the procedure is similar.
You first need to install a server certificate. The LDAP server itself can generate a certificate, but the certificate must then be signed by a CA that is trusted by the server. One way to get the certificate signed is to use the CA that comes with an Identity Vault.
To generate a certificate request:
In the navigation tree in Netscape Console, select the server that the driver will communicate with.
Click .
Click >
Provide information to request a certificate.
Depending on the certificates or tokens that might already be installed on the host system, you might see some or all of the following fields:
Select a Token (Cryptographic Device): Select .
Is the Server Certificate Already Requested and Ready to Install? Select .
If a trust database doesn’t already exist for this host, one is generated for you.
A trust database is a key pair and certificate database installed on the local host. When you use an internal token, the trust database is the database into which you install the key and certificate.
Type and confirm the password.
The password must contain at least eight characters, and at least one of them must be numeric. This password helps secure access to the new key database you’re creating.
Continue providing information as prompted, then click .
After a trust database is created, click .
Type the requested information, then click .
Type the password for the token you selected earlier, then click .
The Certificate Setup Wizard generates a certificate request for your server. When you see the page, you can send the certificate request to the certification authority.
Continue with Step 2: Sending the Certificate Request.
Copy the server certificate request into Notepad or another text editor.
Save the file as csr.txt.
Your certificate request e-mail should look like the following:
-----BEGIN NEW CERTIFICATE REQUEST-----
.
.
.
-----END NEW CERTIFICATE REQUEST----
In iManager, > .
In the field, browse to csr.txt, then click .
Select .
Specify SSL as the key type, then click .
Specify the certificate parameters, click , then click .
Save the certificate in Base64 format as cert.b64 to a local disk or diskette.
Continue with Step 3: Installing the Certificate.
In the navigation tree in Netscape Console, select the server that the driver will be connecting to.
Click .
Click > .
Start the wizard and indicate that you are ready to install the certificate.
When prompted, provide the following information:
Select a Token (Cryptographic Device): Select .
Is the Server Certificate Already Requested and Ready to Install? Select .
Click .
In the field, select .
In the field, type the password you used to set up the trust database, then click .
In the field, type the absolute path to the certificate (for example, A: \CERT.B64).
After the certificate is generated, click .
After the certificate is successfully installed, click .
Continue with Step 4: Activating SSL in Netscape Directory Server 4.12.
After you install the certificate, complete the following to activate SSL:
In the navigation tree in Netscape Console, select the server you want to use SSL encryption with.
Click > > .
Enter the following information:
Enable SSL: Select this option.
Cipher Family: Select .
Token to Use: Select .
Certificate to Use: Select .
Client Authentication: Because the driver doesn't support client authentication, select .
Click .
Click , then restart the server for the changes to take effect.
Continue with Step 5: Exporting the Trusted Root from the Directory Tree.
In iManager, select > .
Browse to the Certificate Authority (CA) object, then click .
Select from the drop-down list.
Click .
Click at the prompt that displays ”
Click .
In the Filename field, type in a filename (for example, PublicKeyCert), then select as the format.
Click .
Continue with Step 6: Importing the Trusted Root Certificate.
You need to import the trusted root certificate into the LDAP server’s trust database and the client’s certificate store.
You need to import the trusted root certificate into the LDAP server’s trust database. Because the server certificate was signed by the Identity Vault’s CA, the trust database needs to be configured to trust the Identity Vault CA.
In the Netscape Console, click > C> .
In , accept the default for Internal ().
In , select .
Click twice.
In Install Certificate For dialog box, select .
Click .
Select , then type the full path to the .b64 file containing the trusted root certificate.
Click .
Verify the information on the screen, then click .
Click .
Continue with Importing into the Client's Certificate Store.
You need to import the trusted root certificate into a certificate store (also called a keystore) that the driver can use.
Use the KeyTool class found in rt.jar.
For example, if your public key certificate is saved as PublicKeyCert.b64 on a diskette and you want to import it into a new certificate store file named .keystore in the current directory, type the following at the command line:
java sun.security.tools.KeyTool -import -alias TrustedRoot -file a:\PublicKeyCert.b64 -keystore .keystore -storepass keystorepass
When you are asked to trust this certificate, select , then click .
Copy the .keystore file to any directory on the same file system that has the Identity Vault files.
In iManager, select > .
Search for drivers.
Click the LDAP Driver object, then click it again in the page.
In the parameter, enter the complete path to the .keystore file.
Continue with Step 7: Adjusting Driver Settings.
The following table lists the driver’s settings and its default values in the sample configurations.
Table 5-3 Driver Settings and Default Values
|
Parameter |
Sample Configuration Value |
Description |
|---|---|---|
|
Use SSL for LDAP Connections |
no |
The value for this parameter should be either or . It indicates whether or not SSL connections should be used when communicating with the LDAP server. To use SSL, you must also correctly configure the LDAP server. For more information, refer to Configuring SSL Connections, |
|
SSL Port |
636 |
This parameter is ignored unless Use SSL for LDAP Connections is set to . It indicates which port the LDAP server uses for secure connections. |
|
Keystore Path (for SSL Certs) |
[blank] |
When Use SSL for LDAP Connections is set to , this parameter value should be the complete path to the keystore file that contains the trusted root certificate of the Certificate Authority (CA) that signed the server certificate. For more information about creating the keystore file, refer to Importing into the Client's Certificate Store“. |