...
- The Java Keytools is installed with your Java JRE.
- Your LDAP server is configured to use STARTTLS.
When using
starttls
your LDAP realm configuration in the shiro.ini configuration file should containldapRealm.useStartTls=true
as in the following example:Code Block language text ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.contextFactory.url = ldap://myHost:389 ldapRealm.useStartTls=true securityManager.realms = $ldapRealm
...
Flowchart |
---|
JOC [label=" JOC Cockpit ",fillcolor="lightskyblue"] LDAP [label=" LDAP Server ",fillcolor="lightskyblue"] JOC_Truststore [label="JOC Cockpit Truststore\n./jetty_base/etc/joc.jks\nCA certificates\nLDAP server public certificate",fillcolor="orange"] LDAP_Keystore [label="LDAP Server Keystore\nLDAP Server Private Key",fillcolor="orange"] CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"] CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate",fillcolor="white"] LDAP_PrivateKey [shape="ellipse",label="LDAP Server Private Key",fillcolor="white"] LDAP_Keystore_Certificate [shape="ellipse",label="LDAP Server Public Certificate",fillcolor="white"] LDAP_Truststore_Certificate [shape="ellipse",label="LDAP Server Public Certificate",fillcolor="white"] LDAP -> LDAP_Keystore LDAP -> LDAP_Truststore_Certificate [label=" transfer to JOC Cockpit "] LDAP_Keystore -> LDAP_PrivateKey -> LDAP_Keystore_Certificate [label=" in keystore "] # JOC -> LDAP [label=" establish LDAP connection "] JOC -> JOC_Truststore JOC_Truststore -> CA_RootCertificate -> CA_IntermediateCertificate [label=" add to truststore "] CA_IntermediateCertificate -> LDAP_Truststore_Certificate [label=" add to truststore "] |
...
Example for import of a public certificate to a JOC Cockpit Truststore in JKS format:
Code Block language textbash title Exmple for import of LDAP Server public certificate to JKS Keystore # import LDAP server public certificate to a truststore (joc.jks) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap) keytool -importcert -noprompt -file "ldap-certificate.crt" -alias "ldap" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts
Example for import of a public certificate to a JOC Cockpit Truststore in PKCS12 format:
Code Block language textbash title Exmple for import of LDAP Server public certificate to PKCS12 Keystore # import LDAP server public certificate to a truststore (joc.p12) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap) keytool -importcert -noprompt -file "ldap-certificate.crt" -alias "my_aliasldap" -keystore "JETTY_BASE/etc/joc.p12" -storetype pkcs12 -storepass secret_store -trustcacerts
- The
-keystore
option specifies the location of your Truststore file. - The
-storepass
option specifies the password for access to your Truststore file. - The public certificate file
ldap-ertificate.crt
has been created on should be available from the LDAP server. Transfer this file to the JOC Cockpit server. Alternatively the public certificate can be requested on-the-fly.Example for export request of public certificate:
Code Block language textbash title Example for export request of public certificate from LDAP server # connect to the LDAP server certutil -S -n "SOS_LDAP" -s "cn=myCn" -c "SOS_LDAP CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa certutil -L -d . -n "SOS_LDAP CA certificate" -a > ldap-certificate.crt(ldap_server) with the available port (636), in the server response you should find the public certificate that you can copy & paste to a certificate file openssl s_client -connect ldap_server:636
- If the public certificate is signed by a CA then the certificate should include the certificate chain of CA Root Certificate and CA Intermediate Certificate. Otherwise it might be required to concatenate the certificates into one file, for example:
Code Block language bash title Example for export of public certificate # concatenate CA root certificate and CA intermediate certificate to a single CA Bundle certificate file (ca-bundle.crt) cat RootCACertificate.crt > certificates.crt cat CACertificate.crt >> certificates.crt cat ldap-certificate.crt >> certificates.crt # import LDAP server public certificate and certificate chain to a truststore (joc.jks) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap) keytool -importcert -noprompt -file "certificates.crt" -alias "ldap" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts
Configure JOC Cockpit Truststore
...