Introduction
LDAP authentication for the JOC Cockpit relies on a connection between the LDAP server and the JOC Cockpit web services. It is desirable that this connection is secured as it would otherwise be vulnerable to, for example, man-in-the-middle attacks.
The LDAP server - web services connection can be secured using two commonly available protocols StartTLS and LDAPS.
Connection Content Encryption with StartTLS
StartTLS in an extension to the LDAP protocol which uses the TLS protocol to encrypt communication. It works by establishing a normal - i.e. unsecured - connection with the LDAP server before a handshake negotiation between the server and the web services is carried out. Here, the server sends its certificate to prove its identity before the secure connection is established. If negotiation for a secure connection is unsuccessful then a standard LDAP connection may be opened. Whether or not this occurs depends on the LDAP server and its configuration.
Connection Encryption with LDAPS
LDAPS is the non-standardized "LDAP over SSL" protocol that in contrast with StartTLS only allows communication over a secure port such as 636. It establishes the secure connection before there is any communication with the LDAP server. However, as LDAPS is not part of the LDAP standard, there is no guarantee that LDAPS client libraries actually verify the host name against the name provided in the security certificate. See here for more information.
Scope
- The current article describes the configuration of StartTLS for use with the JOC Cockpit web services and Web Service Truststore, as well as providing a code example for calling LDAPS from the shiro.ini file. Users wishing to configure their server to use LDAPS should refer their LDAP server administrator.
Configuration for LDAP with StartTLS
- The Java Keytools is installed with your Java JRE.
- Your LDAP server is configured to use STARTTLS.
When using
starttls
your LDAP realm configuration in the shiro.ini configuration file should containldapRealm.useStartTls=true
as shown in the following code exampleldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.contextFactory.url = ldap://myHost:389 ldapRealm.useStartTls=true securityManager.realms = $ldapRealm
Set up a secure connection to your LDAP Server
In the following the placeholders JOC_HOME
, JETTY_HOME
and JETTY_BASE
are used which locate three directories. If you install Jetty with the JOC installer then
JOC_HOME
is the installation path which is specified during the JOC Cockpit installation:- C:\Program Files\sos-berlin.com\joc (default on Windows)
- /opt/sos-berlin.com/joc (default on Linux)
JETTY_HOME
=JOC_HOME
/jettyJETTY_BASE
is Jetty's base directory which is specified during the JOC Cockpit installation:- C:\ProgramData\sos-berlin.com\joc (default on Windows)
- /home/<setup-user>/sos-berlin.com/joc (default on Linux)
Create a JOC Cockpit Web Service Truststore and import your certificate to the Truststore
The following steps are performed on the server that hosts the JOC Cockpit.
You can use the Java Keystore that will be created with the private key for the HTTPS support in Jetty. Note that you will probably have to create the JETTY_BASE/etc
directory.
Example
Sample for import master certificatekeytool -importcert -noprompt -file "my_LDAP_Certificate.pem" -alias "my_alias" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts
- The
-keystore
option specifies the location of your Truststore file. - The
-storepass
option specifies the password for access to your Truststore file. - The file my_LDAP_Certificate.pem has been created on the LDAP server. Transfer this file to the local machine.
certutil -S -n "SOS_LDAP" -s "cn=myCn" -c "SOS_LDAP CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa
certutil -L -d . -n "SOS_LDAP CA certificate" -a > my_LDAP_Certificate.pem
Configure Jetty
Edit the following entries in the
JETTY_BASE/resources/joc/joc.properties
configuration file corresponding to the Java Keystore:truststore_path = ../../etc/joc.jks
Explanations- Specify the location of the Truststore with the
truststore_path
setting. A location relative to theJETTY_BASE
directory can be specified.
- Specify the location of the Truststore with the
Configuration for LDAPS
The LDAP server must be configured to use SSL.
In the shiro.ini configuration file the LDAPS URL must be fully qualified as shown in the following example.
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.contextFactory.url = ldaps://ldap.myHost.com:636 contextFactory.environment[java.naming.security.protocol] = ssl securityManager.realms = $ldapRealm
.