Enabling SSL on LDAP - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Product name
BlueCat Integrity

If you selected the Enable SSL option, you must perform additional steps to enable SSL communication between the LDAP server and Address Manager. For more details on specific steps and commands, see your LDAP documentation on copying and importing certificates.

To enable SSL communication:

  1. Manually upload LDAP Authenticator certificates to Address Manager using SCP.
    The certificates must be in a format compatible with the Java keytool. Compatible formats include:
    • X.509 PKCS#7 (typically .p7b or .p7c files)
    • X.509 binary DER (typically .der files, although .cer and .crt files may also be in binary format)
    • X.509 Base64 Privacy-enhanced Electronic Mail (PEM) (typically .pem files with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers)
    Tip: If needed, you can use OpenSSL to convert the certificate to a different format.
  2. Import certificates to a keystore called /data/certs/certificates using the Java keytool. The keystore password must be password. You can use whatever alias you prefer.

    For example, with certificates named cacert.pem and ldapserver.pem, you might use the following keytool commands:

    mkdir -p /data/certs
    keytool -importcert -keystore /data/certs/certificates -storepass password -file cacert.pem -alias ca
    keytool -importcert -keystore /data/certs/certificates -storepass password -file ldapserver.pem -alias server1

When attempting an LDAP connection over SSL, Address Manager will look for a keystore file named certificates in the data/certs directory. If one exists, Address Manager will check the certificate to ensure authenticity of the LDAP authenticators.

Note: The keystore file isn't cached, which means that whenever an LDAP connection over SSL is made, the keystore file is verified.
Tip: If you don't want to manage certificates and keystore files, delete the certificates keystore file in the /data/certs directory. If there's no keystore file in this directory, Address Manager will always trust the authenticity of the LDAP authenticator.