Enabling SSL on LDAP - BlueCat Address Manager - 9.0.0

Address Manager Administration Guide

BlueCat Address Manager

If you selected the Enable SSL option, there are additional steps to enable SSL communication between the LDAP server and Address Manager. For a full description of the necessary steps and commands, refer to your LDAP documentation on copying and importing certificates. This topic provides the high-level steps you must perform.

To enable SSL communication:

  1. The certificates from the LDAP Authenticators must be manually uploaded to Address Manager using SCP. The certificates must be in PKCS12 format. You can use OpenSSL to convert the certificate to PKCS12 format if needed.
  2. Certificates must be imported to a keystore called ‘certificates’ using the java keytool.
  3. If you don't want to manage certificates and keystore files, you can delete the keystore file in the /data/certs/certificates directory. If there is no keystore file in this directory, Address Manager will always trust the authenticity of the LDAP authenticator.
  4. If there is a keystore file, in the corresponding directory, the LDAP connection over SSL must check the certificate to ensure the authenticity of the LDAP authenticators.
    Note: The keystore file is not cached, which means that whenever an LDAP connection over SSL is made, the keystore file is verified.