Configuring LDAPS Connections
The tasks to configure LDAPS connections are:
- Configuring the Directory Server to Support LDAPS Connections
- Establishing Trust for Directory Clients
- Configuring the SAE to Find the Certificate Store
- Enabling LDAPS Communication for SAE Components
- Disabling LDAPS Communication for SAE Components
Configuring the Directory Server to Support LDAPS Connections
For information about how to perform these tasks, see the documentation for your directory server.
For the SAE to communicate with a directory over LDAPS, typically you must configure your directory server to support SSL connections by:
There are many well-known CAs. You can also set up your own CA to sign the directory certificate. The CA must be trusted by the directory clients that use LDAPS to communicate with the directory. Tools such as OpenSSL (http://www.openldap.org) are available to set up a CA.
- Setting up the directory server with an X.509 SSL server certificate. Typically, you install a certificate for the server, and configure the directory server to trust the CA's certificate.
- Enabling SSL.
Establishing Trust for Directory Clients
Each directory client must have a certificate database and must trust the CA to use SSL connections to the directory server.
The SAE, like other Java applications, implicitly trusts certificates that are stored in the /jre/lib/security/cacerts certificate file. This file is a Java Runtime Environment (JRE) systemwide certificate trust store. By default, the file contains certificates from well-known CAs.
If a certificate for the CA that you use for the directory server is available in the cacerts file:
If your CA is not in the cacerts file:
- Import the CA into this file or into any certificate store that is in Java Keystores (JKS) format (supported by the Java 2 Software Development Kit). All Java applications running in a specified JRE trust all CAs present in the cacerts file.
You can also store a CA certificate in a location other than the default cacerts file. You might consider storing the CA elsewhere if you want your SAE to trust only the certificate for the CA that signs the directory server's certificate, or if you do not want other applications that are running in the same JRE to trust the CA's certificate.
To import a CA certificate into a store other than the default cacerts file:
The following example imports the CA's certificate ca.crt into a trust store named ldapclient.keystore.
keytool -import -v -trustcacerts -alias saeldap -noprompt -file ./ca.crt -keystore ldapclient.keystore -storepass zaqwsxFor more information about the keytool command, see
http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html
Configuring the SAE to Find the Certificate Store
To enable the SAE to locate the certificate store, edit the /opt/UMC/sae/etc/default.properties file.
To use a certificate file other than the default:
- In the /opt/UMC/sae/etc/default.properties file, specify the name and path of the file in the Security.ssl.trustcertstore property.
The following example specifies that the SAE use the trustcerts file:
Security.ssl.trustcertstore = /opt/UMC/sae/etc/trustcertsTo specify that the SAE use the default cacerts file:
- In the /opt/UMC/sae/etc/default.properties file, add a comment character before the Security.ssl.trustcertstore property.
Enabling LDAPS Communication for SAE Components
To enable an LDAPS connection for an SAE component, you edit the security properties for the component. How you enable the properties depends on the component for which you are enabling LDAPS.
To enable an LDAPS connection for a component:
Table 10 shows how to access the security properties for the various components.
- Remove the comment character (#) that appears before the component's security protocol property. See Table 11.
UserCacheDataSource.repository.ldap.server.security.protocol
If there is no comment character at the beginning of the line, the property is already enabled.
- Set the server port property (as listed in Table 12) to the value supported for the LDAPS connection.
For LDAPS connections, the default port number is 636.
Disabling LDAPS Communication for SAE Components
To disable an LDAPS connection for that component:
- Open the configuration for the security properties for the component. See Table 10.
- Add a comment character before the component's security protocol property. See Table 11.
- Set the server port property (as listed in Table 12) to the value supported for the LDAP connection.