If you selected the Enable SSL option, you must perform additional steps to enable SSL communication between the LDAP server and Address Manager. For more details on specific steps and commands, see your LDAP documentation on copying and importing certificates.
To enable SSL communication:
- Manually upload LDAP Authenticator certificates to Address
Manager using SCP. If you have multiple LDAP sources, you can add all of
them to the same certificate file. The certificates must be in a format compatible with the Java keytool. Compatible formats include:
- X.509 PKCS#7 (typically
.p7bor.p7cfiles) - X.509 binary DER (typically
.derfiles, although.cerand.crtfiles may also be in binary format) - X.509 Base64 Privacy-enhanced Electronic Mail (PEM) (typically
.pemfiles with-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----markers)
Tip: If needed, you can use OpenSSL to convert the certificate to a different format. - X.509 PKCS#7 (typically
- Import certificates to a keystore called
/data/certs/certificatesusing the Java keytool. The keystore password must bepassword. You can use whatever alias you prefer.For example, with certificates named
cacert.pemandldapserver.pem, you might use the following keytool commands:mkdir -p /data/certs keytool -importcert -keystore /data/certs/certificates -storepass password -file cacert.pem -noprompt -alias ca keytool -importcert -keystore /data/certs/certificates -storepass password -file ldapserver.pem -noprompt -alias server1
When attempting an LDAP connection over SSL, Address Manager will look for a
keystore file named certificates in the data/certs
directory. If one exists, Address Manager will check the certificate to ensure
authenticity of the LDAP authenticators.
certificates keystore file in the /data/certs
directory. If there's no keystore file in this directory, Address
Manager will always trust the authenticity of the LDAP authenticator.