Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 9

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Code examples added

...

LDAP authentication for the JOC Cockpit relies on a connection between the LDAP server and the JOC Cockpit web services. It is likely to be desirable for that this connection to be is secured as it would otherwise is be vulnerable to, for example, a man-in-the-middle attackattacks.

The LDAP server - web services connection can be secured using two commonly available protocols StartTLS and LDAPS.

...

StartTLS in an extension to the LDAP protocol which uses TLS protocol to encrypt communication. It works by establishing a normal - i.e. insecure - connection with the LDAP server before a handshake negotiation between the server and the web services is carried out. Here, the server sends its certificate to prove its identity before the secure connection is established. If negotiation for a secure connection is not established, the connection will remain insecure and therefore vulnerable to man-in-the-middle attacks. StartTLS uses a secure port (e.g. 636) and a unsecured port (e.g. 389, the standard LDAP connection port)unsuccessful then a standard LDAP connection may be opened. Whether or not this occurs depends on the LDAP server and its configuration.

Connection Encryption with LDAPS

LDAPS is a non-official protocol that in contrast with StartTLS only allows communication over a secure port such as 636. It establishes the secure connection before there is any communication with the LDAP sereverserver. LDAPS generally provides protection against man-in-the-middle attacks and a higher level of security than StartTLS as it explicitly does not allow insecure LDAP connections.

...

  • The current article describes the configuration of StartTLS for use with the JOC Cockpit web services and provides a code example for calling LDAPS from the shiro. Users withing to implement LDAPS with the JOC Cockpit should refer to specialist literature.

...

  • ini file. Users wishing to configure their server to use LDAPS should refer their LDAP server administrator.

Configuration for LDAP with StartTLS

  • The Java Keytools is installed with your Java JRE.
  • Your LDAP server is configured to use STARTTLS.

  • When using starttls your LDAP realm configuration in the shiro.ini configuration file

    contains:

    should contain ldapRealm.useStartTls=true as shown in the following code example

    Code Block
    languagetext
    ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://myHost:389 
ldapRealm.useStartTls=true
 
securityManager.realms = $ldapRealm

Set up a secure connection to your LDAP Server 

...

In the following the placeholders JOC_HOMEJETTY_HOME and JETTY_BASE are used which locate three directories. If you install Jetty with the JOC installer then

  • JOC_HOME is the installation path which is specified during the JOC Cockpit installation:
    • C:\Program Files\sos-berlin.com\joc (default on Windows)
    • /opt/sos-berlin.com/joc (default on Linux)
  • JETTY_HOME = JOC_HOME/jetty
  • JETTY_BASE is Jetty's base directory which is specified during the JOC Cockpit installation:
    • C:\ProgramData\sos-berlin.com\joc (default on Windows)
    • /home/<setup-user>/sos-berlin.com/joc (default on Linux)

...

Create a JOC Cockpit Web Service Truststore and import your certificate to the

...

Truststore

The following steps are performed on the server that hosts the JOC Cockpit.

You can use the Java Keystore that will be created with the private key for the HTTPS support in Jetty.  Please note Note that you will probably you have to create the directory the JETTY_BASE/etc directory.

    • Example

      Code Block
      titleSample for import master certificate
      keytool -importcert -noprompt -file "my_LDAP_Certificate.pem" -alias "my_alias" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts
  • The -keystore option specifies the location of your Truststore file.
  • The -storepass option specifies the password for access to your Truststore file.
  • The file my_LDAP_Certificate.pem has been created on the LDAP server. Transfer this file to the local machine.

    • certutil -S -n "SOS_LDAP" -s "cn=myCn" -c "SOS_LDAP CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa

    • certutil -L -d . -n "SOS_LDAP CA certificate" -a > my_LDAP_Certificate.pem

...

Configure Jetty

  • Edit the following entries in the JETTY_BASE/resources/joc/joc.properties configuration file corresponding to the Java Keystore:

    Code Block
    truststore_path = ../../etc/joc.jks


    Explanations

    • Specify the location of the Truststore with the truststore_path setting. A location relative to the JETTY_BASE directory can be specified.

Configuration for LDAPS

The LDAP server must be configured to use SSL.

In the shiro.ini configuration file the LDAPS URL must be fully qualified as shown in the following example.

Code Block
languagetext
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldaps://ldap.myHost.com:636

contextFactory.environment[java.naming.security.protocol] = ssl
 
securityManager.realms = $ldapRealm

.