Scope
- If using LDAP for authentication it is possible to secure the connection with starttls
- This article describes the steps required to set up communication with starttls
Prerequisites
- The Java Keytools is installed with your Java JRE.
- Your LDAP server is configured to use starttls
- Your LDAP Realm configuration in the shiro configuration file contains
ldapRealm.useStartTls=true
Set up a secure connection to your LDAP Server
This configuration is applied in order to enable starttls
in the communication to the LDAP Server.
In the following the placeholders JOC_HOME
, JETTY_HOME
and JETTY_BASE
are used which locate three directories. If you install Jetty with the JOC installer then
JOC_HOME
is the installation path which is specified during the JOC Cockpit installation:- C:\Program Files\sos-berlin.com\joc (default on Windows)
- /opt/sos-berlin.com/joc (default on Linux)
JETTY_HOME
=JOC_HOME
/jettyJETTY_BASE
is Jetty's base directory which is specified during the JOC Cockpit installation:- C:\ProgramData\sos-berlin.com\joc (default on Windows)
- /home/<setup-user>/sos-berlin.com/joc (default on Linux)
Step 1: Create the Java Keystore for Jetty
- Create the Java Keystore using the Keytools from your Java JRE.
- Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers.
Example
Sample for generate Keystore with private key and certificatekeytool -genkey -alias "joc" -dname "CN=jocHost,O=myCompany" -validity 1461 -keyalg RSA -keysize 1024 -keypass secret_key -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store
Explanations
- Replace the
JETTY_BASE
placeholder as specified above. - The
-dname
option specifies the certificate issuer, therefore use your own set of CN, OU, DC that specify the issuer's distinguished name. The O setting is required for the issuer. - The
-keypass
option accepts the password that you will need later on to manage your private key. - The
-keystore
option specifies the location of your Keystore file. - The
-storepass
option specifies the password for access to your Keystore file.
- Replace the
- Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers.
Step 2: Configure Jetty
Edit the following entries in the
JETTY_BASE/start.ini
configuration file corresponding to the Java Keystore:## Keystore file path (relative to $jetty.base) jetty.sslContext.keyStorePath=etc/joc.jks ## Truststore file path (relative to $jetty.base) jetty.sslContext.trustStorePath=etc/joc.jks ## Keystore password jetty.sslContext.keyStorePassword=secret_store ## KeyManager password jetty.sslContext.keyManagerPassword=secret_key ## Truststore password jetty.sslContext.trustStorePassword=secret_store
Explanations- Specify the location of the Keystore with the
keyStorePath
setting and optionally of the Truststore with thetrustStorePath
setting. A location relative to theJETTY_BASE
directory can be specified. - Specify the password for your Keystore with the
keyStorePassword
setting. If a Truststore is used then specify its password accordingly with thetrustStorePassword
setting. - The password specified with the
keyManagerPassword
setting is used for acces to your private key.
- Specify the location of the Keystore with the
Step 3: Import your certificat to the JOC Cockpit Web Service Truststore
The following steps are performed on the server that hosts the JOC Cockpit.
Example
Sample for import master certificatekeytool -importcert -noprompt -file "myCertificate.pem" -alias "my_alias" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts