Scope
- If using LDAP for authentication it is possible to secure the connection with STARTTLS.
- This article describes the steps required to set up communication with STARTTLS.
Prerequisites
- The Java Keytools is installed with your Java JRE.
- Your LDAP server is configured to use STARTTLS.
- When using
starttls
your LDAP realm configuration in the shiro.ini configuration file contains:ldapRealm.useStartTls=true
Set up a secure connection to your LDAP Server
This configuration is applied in order to enable STARTTLS
in the communication to the LDAP Server.
In the following the placeholders JOC_HOME
, JETTY_HOME
and JETTY_BASE
are used which locate three directories. If you install Jetty with the JOC installer then
JOC_HOME
is the installation path which is specified during the JOC Cockpit installation:- C:\Program Files\sos-berlin.com\joc (default on Windows)
- /opt/sos-berlin.com/joc (default on Linux)
JETTY_HOME
=JOC_HOME
/jettyJETTY_BASE
is Jetty's base directory which is specified during the JOC Cockpit installation:- C:\ProgramData\sos-berlin.com\joc (default on Windows)
- /home/<setup-user>/sos-berlin.com/joc (default on Linux)
Step 1: Create the Java Keystore for Jetty
- Create the Java Keystore using the Keytools from your Java JRE.
- Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers. Please note that probably you have to create the directory
JETTY_BASE/etc
Example
Sample for generate Keystore with private key and certificatekeytool -genkey -alias "joc" -dname "CN=jocHost,O=myCompany" -validity 1461 -keyalg RSA -keysize 1024 -keypass secret_key -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store
Explanations
- Replace the
JETTY_BASE
placeholder as specified above. - The
-dname
option specifies the certificate issuer, therefore use your own set of CN, OU, DC that specify the issuer's distinguished name. The O setting is required for the issuer. - The
-keypass
option accepts the password that you will need later on to manage your private key. - The
-keystore
option specifies the location of your Keystore file. - The
-storepass
option specifies the password for access to your Keystore file.
- Replace the
- Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers. Please note that probably you have to create the directory
Step 2: Configure Jetty
Edit the following entries in the
JETTY_BASE/resources/joc/joc.properties
configuration file corresponding to the Java Keystore:############################################################################### ### Location of the Java trustore which contains the certificates of each ### JobScheduler Master for HTTPS connections. Path can be absolute or relative ### to this file. truststore_path = ../../etc/joc.jks
Explanations- Specify the location of the Truststore with the
truststore_path
setting. A location relative to theJETTY_BASE
directory can be specified.
- Specify the location of the Truststore with the
Step 3: Import your certificate to the JOC Cockpit Web Service Truststore
The following steps are performed on the server that hosts the JOC Cockpit.
Example
Sample for import master certificatekeytool -importcert -noprompt -file "my_LDAP_Certificate.pem" -alias "my_alias" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts