Configuring Secure LDAP Authentication in the Web UI
1 Change the LDAP IP address to use SSL authentication.
2 Obtain a digital certificate.
3 Generate a Java keystore.
4 Configure the properties file to use the keystore.
Change the LDAP IP address to use SSL authentication
For SSL authentication, in the precision.properties file, change the LDAP IP address to use TCP/IP port number 636. If SSL authentication is set to a different port of your server, the port number must correspond to the correct port number allocated.
Obtain a Digital Certificate
After LDAP Authentication is configured for SSL authentication in the Web UI, you must provide a certificate store containing a valid certificate as a parameter to authenticate to the LDAP Server. To do this, the client must generate a certificate from the LDAP Server and store it in a database on their machine. After the digital certificate is added to the client Trusted Store, the client can trust any service with signed certificates.
You can use the LDAP Server Certificate utility to generate a certificate. This certificate can be exported to the client machine using iManager. The certificate is in .der or .b64 format. To complete this task using Novell eDirectory, perform the following steps:
1 On the client machine, log in to eDirectory through iManager.
2 Go to Novell Certificate Access and click Server Certificates.
3 In the Server Certificates window, select SSL-CertificateDNS and click Validate.
4 Export the certificate.
5 Save the exported certificate and save the cert.der file in any folder.
6 Open the certificate and select the Details tab.
7 Click Copy to File.
8 After you click Next, select Base-64 encoded X.609 (.CER) and click Next again.
9 Save the .cer file to any location and complete the procedure.
You now have two certificate files—one in .der and another in .b64 format.
How to Generate a Java Keystore
Before you generate a keystore, you must have a JDK installed with the /bin directory included in the path. You can verify this setup by typing keytool at the command prompt.
For the client to trust the LDAP server, the generated digital certificate must be present in the Client Trusted Store. You add the trusted digital certificate from the LDAP server to a Java keystore on the client machine. A keystore is a certificates database. To generate a keystore, run the command:
keytool -genkey -dname "cn=Joe Blogs, ou=JavaSoft, o=Sun, c=US" -alias business -keypass kpi135 -keystore C:\working\mykeystore -storepass ab987c -validity 180
The command syntax is explained in
Generate a Keystore.
Generate a Keystore
|
Property
|
Value
|
|
cn
|
Common name, which needs to match the host name of the server.
|
|
ou=
|
Organization unit.
|
|
o
|
Organization.
|
|
c
|
Country code, which is the two lettered Country Code.
|
|
alias
|
Keystore alias.
|
|
keypass
|
Password for the private key generated.
|
|
keystore
|
Location and name of generated keystore.
|
|
storepass
|
Keystore password.
|
|
validity
|
Number of days the keystore is valid for.
|
To connect to LDAP Server using SSL, provide the keystore to the Web UI startup server by adding properties to the precision.properties file.
Djavax.net.ssl.trustStorePassword=keypass
Djavax.net.ssl.trustStore="C:\Documents and Settings\user\.keystore"