...
- The Java Keytools is installed with your Java JRE.
- Your LDAP server is configured to use STARTTLS.
When using
starttls
your LDAP realm configuration in the shiro.ini configuration file should containldapRealm.useStartTls=true
as in the following example:Code Block language text ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.contextFactory.url = ldap://myHost:389 ldapRealm.useStartTls=true securityManager.realms = $ldapRealm
...
Example for import of a public certificate to a JOC Cockpit Truststore in JKS format:
Code Block language bash title Exmple for import of LDAP Server public certificate to JKS Keystore # import LDAP server public certificate to a truststore (joc.jks) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap) keytool -importcert -noprompt -file "ldap-certificate.crt" -alias "ldap" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts
Example for import of a public certificate to a JOC Cockpit Truststore in PKCS12 format:
Code Block language bash title Exmple for import of LDAP Server public certificate to PKCS12 Keystore # import LDAP server public certificate to a truststore (joc.p12) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap) keytool -importcert -noprompt -file "ldap-certificate.crt" -alias "ldap" -keystore "JETTY_BASE/etc/joc.p12" -storetype pkcs12 -storepass secret_store -trustcacerts
- The
-keystore
option specifies the location of your Truststore file. - The
-storepass
option specifies the password for access to your Truststore file. - The public certificate file
ldap-ertificate.crt
should be available from the LDAP server. Transfer this file to the JOC Cockpit server. Alternatively the public certificate can be requested on-the-fly.Example for request of public certificate:
Code Block language bash title Example for export request of public certificate from LDAP server # connect to the LDAP server (ldap_server) with the available port (636), in the server response you should find the public certificate that you can copy & paste to a certificate file openssl s_client -connect ldap_server:636
- If the public certificate is signed by a CA then the certificate should include the certificate chain of CA Root Certificate and CA Intermediate Certificate. Otherwise it might be required to concatenate the certificates into one file, for example:
Code Block language bash title Example for export of public certificate # concatenate CA root certificate and CA intermediate certificate to a single CA Bundle certificate file (ca-bundle.crt) cat RootCACertificate.crt > certificates.crt cat CACertificate.crt >> certificates.crt cat ldap-certificate.crt >> certificates.crt # import LDAP server public certificate and certificate chain to a truststore (joc.jks) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap) keytool -importcert -noprompt -file "certificates.crt" -alias "ldap" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts
...