LDAPS Connections

LDAPS Connections (LDAP over SSL)

The objective of configuring ExtraView for LDAPS is to install the LDAP server SSL certificate into the JVM that is used by the application server hosting the ExtraView web application in order for the client (ExtraView webapp) to be able to authenticate directly to the LDAP server.

Before starting the process to configure ExtraView to work in this mode, ensure the LDAP server has already been configured for secure LDAP with a SSL certificate, and the secure LDAP port has been confirmed to be active. Consult your LDAP server documentation for configuring your LDAP server for secure LDAP with a SSL certificate.

More information on LDAPS configuration is available at http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html#SERVER

Java Configuration

  1. Download the InstallCert.java file and compile it with your JDK
  2. Run the InstallCert program as follows:
    java InstallCert <host>:<port>
    where <host> is the hostname of your LDAP server, and <port> is the LDAPS port (e.g., 636) configured on your LDAP server
  3. You will see some Java error text:

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    and be prompted to select a certificate to add to the trusted keystore

  4. Select the certificate to add to the keystore and the InstallCert program will display the entire certificate.
    Also, be aware that the InstallCert program creates the file jssecacerts in the current directory
  5. To verify that the certificate has been added, re-run the InstallCert program as in step 2, and instead of the Java error text you should see the following message:

    No errors, certificate is already trusted

  6. Lastly, you need to add the jssecacerts file to your JDK by copying it to the JAVA_HOME/jre/lib/security/ directory.