Table of Contents |
---|
Scope
- If using LDAP for authentication it is possible to secure the connection with starttls
- This article describes the steps required to set up communication with starttls
Prerequisites
- The Java Keytools is installed with your Java JRE.
- Your LDAP server is configured to use starttls
- Your When using
starttls
your LDAP Realm configuration in the shiro configuration file containsldapRealm.useStartTls=true
Set up a secure connection to your LDAP Server
This configuration is applied in order to enable starttls
in the communication to the LDAP Server.
...
JOC_HOME
is the installation path which is specified during the JOC Cockpit installation:- C:\Program Files\sos-berlin.com\joc (default on Windows)
- /opt/sos-berlin.com/joc (default on Linux)
JETTY_HOME
=JOC_HOME
/jettyJETTY_BASE
is Jetty's base directory which is specified during the JOC Cockpit installation:- C:\ProgramData\sos-berlin.com\joc (default on Windows)
- /home/<setup-user>/sos-berlin.com/joc (default on Linux)
Step 1: Create the Java Keystore for Jetty
- Create the Java Keystore using the Keytools from your Java JRE.
- Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers.
Example
Code Block title Sample for generate Keystore with private key and certificate keytool -genkey -alias "joc" -dname "CN=jocHost,O=myCompany" -validity 1461 -keyalg RSA -keysize 1024 -keypass secret_key -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store
Explanations
- Replace the
JETTY_BASE
placeholder as specified above. - The
-dname
option specifies the certificate issuer, therefore use your own set of CN, OU, DC that specify the issuer's distinguished name. The O setting is required for the issuer. - The
-keypass
option accepts the password that you will need later on to manage your private key. - The
-keystore
option specifies the location of your Keystore file. - The
-storepass
option specifies the password for access to your Keystore file.
- Replace the
- Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers.
Step 2: Configure Jetty
Edit the following entries in the
JETTY_BASE/resources/joc/startjoc.ini
configurationproperties
configuration file corresponding to the Java Keystore:Code Block ## Keystore file path (relative to $jetty.base) jetty.sslContext.keyStorePath=etc/joc.jks ## Truststore file path (relative to $jetty.base) jetty.sslContext.trustStorePath=etc/joc.jks ## Keystore password jetty.sslContext.keyStorePassword=secret_store ## KeyManager password jetty.sslContext.keyManagerPassword=secret_key ## Truststore password jetty.sslContext.trustStorePassword=secret_store############################################################################### ### Location of the Java trustore which contains the certificates of each ### JobScheduler Master for HTTPS connections. Path can be absolute or relative ### to this file. truststore_path = ../../etc/joc.jks
Explanations- Specify the location of the Keystore with the
keyStorePath
setting and optionally of the Truststore with thetrustStorePath
truststore_path
setting. A location relative to theJETTY_BASE
directory can be specified. - Specify the password for your Keystore with the
keyStorePassword
setting. If a Truststore is used then specify its password accordingly with thetrustStorePassword
setting. - The password specified with the
keyManagerPassword
setting is used for acces to your private key.
- Specify the location of the Keystore with the
Step 3: Import your certificat to the JOC Cockpit Web Service Truststore
The following steps are performed on the server that hosts the JOC Cockpit.
Example
Code Block title Sample for import master certificate keytool -importcert -noprompt -file "myCertificatemy_LDAP_Certificate.pem" -alias "my_alias" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts