If you selected the Enable SSL option, you must perform additional steps to enable SSL communication between the LDAP server and Address Manager. For more details on specific steps and commands, see your LDAP documentation on copying and importing certificates.
To enable SSL communication:
- Manually upload LDAP Authenticator certificates to Address
Manager using SCP. If you have multiple LDAP sources, you can add all of
them to the same certificate file. The certificates must be in a format compatible with the Java keytool. Compatible formats include:
- X.509 PKCS#7 (typically
.p7b
or.p7c
files) - X.509 binary DER (typically
.der
files, although.cer
and.crt
files may also be in binary format) - X.509 Base64 Privacy-enhanced Electronic Mail (PEM) (typically
.pem
files with-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
markers)
Tip: If needed, you can use OpenSSL to convert the certificate to a different format. - X.509 PKCS#7 (typically
- Import certificates to a keystore called
/data/certs/certificates
using the Java keytool. The keystore password must bepassword
. You can use whatever alias you prefer.For example, with certificates named
cacert.pem
andldapserver.pem
, you might use the following keytool commands:mkdir -p /data/certs keytool -importcert -keystore /data/certs/certificates -storepass password -file cacert.pem -noprompt -alias ca keytool -importcert -keystore /data/certs/certificates -storepass password -file ldapserver.pem -noprompt -alias server1
When attempting an LDAP connection over SSL, Address Manager will look for a
keystore file named certificates
in the data/certs
directory. If one exists, Address Manager will check the certificate to ensure
authenticity of the LDAP authenticators.
certificates
keystore file in the /data/certs
directory. If there's no keystore file in this directory, Address
Manager will always trust the authenticity of the LDAP authenticator.