If you selected the Enable SSL option, you must perform additional steps to enable SSL communication between the LDAP server and Address Manager. For more details on specific steps and commands, see your LDAP documentation on copying and importing certificates.
To enable SSL communication:
- Manually upload LDAP Authenticator certificates to Address
Manager using SCP. If you have multiple LDAP sources, you can add all of
them to the same certificate file. The certificates must be in a format compatible with the Java keytool. Compatible formats include:
Tip: If needed, you can use OpenSSL to convert the certificate to a different format.
- X.509 PKCS#7 (typically .p7b or .p7c files)
- X.509 binary DER (typically .der files, although .cer and .crt files may also be in binary format)
- X.509 Base64 Privacy-enhanced Electronic Mail (PEM) (typically .pem files with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers)
- Import certificates to a keystore called /data/certs/certificates
using the Java keytool. The keystore password must be password. You
can use whatever alias you prefer.
For example, with certificates named cacert.pem and ldapserver.pem, you might use the following keytool commands:
mkdir -p /data/certs keytool -importcert -keystore /data/certs/certificates -storepass password -file cacert.pem -noprompt -alias ca keytool -importcert -keystore /data/certs/certificates -storepass password -file ldapserver.pem -noprompt -alias server1
When attempting an LDAP connection over SSL, Address Manager will look for a keystore file named certificates in the data/certs directory. If one exists, Address Manager will check the certificate to ensure authenticity of the LDAP authenticators.