The LDAP Class Libraries for Java perform their own authentication. To authenticate using SSL, the LDAP server must have a certificate to use with SSL, the Java client must have a place to store the certificates, and the LDAP classes must be set up to use SSL. Thus, three components must be set up to use SSL:
LDAP server
Java client
LDAP classes
The LDAP server must be set up with a digital certificate from a Certificate Authority. See the documentation for Novell Certificate Server Version 2 for information on setting up a certificate on the NetWare server. Once the certificate is stored in eDirectory, configure the LDAP server to use it in the LDAP Server General Page in ConsoleOne. For instructions on this process, see “Configuring LDAP Services for eDirectory” in the Novell Developer Notes.
The Java client must be JSSE-compliant and have a KeyStore for storing root certificates. The following instructions demonstrate how to configure the Sun JSSE reference implementation as the Java client and demonstrates how to use the KeyTool in JDK 1.2 to create a KeyStore containing the server certificate.
To download the Sun JSSE reference implementation or for additional information on JSSE, see http://java.sun.com/products/jsse/.
To configure the Sun JSSE security provider perform the following:
HINT:To assist in debugging, pass -D javax.net.debug=all as a command line parameter.
From ConsoleOne®, create and export a trusted root certificate (a .der file). In this example, the certificate file is named ssl.der.
Use the KeyTool from JDK 1.2 to create a KeyStore file. If c:\test\ssl.der is the certificate filename and c:\test\sslkey.keystore is the KeyStore filename, the command would be as follows:
keytool -import -file c:\test\ssl.der -keystore c:\test\sslkey.keystore -alias “type=r.name=sslkey”
This command prompts you for a password to use with the KeyStore file.
Set the provider in the security object. This can be done statically in the securities properties file (JDK\jre\lib\security\java.security) or dynamically using function calls. To set this provider statically, find the following line in the security properties file:
security.provider.1=sun.security.provider.Sun
After this line, add the following:
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
Both lines are required in order for the SSL to work correctly.
To set this provider dynamically execute the following code:
Security.addProvider (new com.sun.net.ssl.internal.ssl.Provider());
Set the trustStore location in the system properties. This can be done as a command line parameter:
-Djavax.net.ssl.trustStore=<keystore path + filename>
Or dynamically with the following code:
System.setProperty("javax.net.ssl.trustStore", <keystore path + filename>)
Using the keystore created in the example above, the <keystore path + filename> would be c:\test\sslkey.keystore.
To integrate the Sun JSSE security provider with the LDAP Classes complete the following steps:
Add the following lines to your Java source file:
import java.security.Security;
When making the connection with the LDAPConnection class, change the following line:
LDAPConnection ld = new LDAPConnection();
To:
LDAPConnection ld = new LDAPConnection(new LDAPSecureSocketFactory());
For an example of setting up a java client to use SSL see SSLConnection.java in the LDAP Classes for Java Sample Code.