7.0 Configuring SSL Connections

The driver uses the LDAP protocol to communicate with the LDAP server. Most LDAP servers allow non-encrypted (clear-text) connections. Additionally, when configured correctly, some LDAP servers allow SSL-encrypted connections. SSL connections encrypt all traffic on the TCP/IP socket by using a public/private key pair. The actual LDAP protocol doesn’t change, but the communication channel performs the encryption.

The procedure for enabling SSL connections differs slightly from one LDAP server to another. This document covers the procedure for enabling SSL connection with Sun Java System Directory Server. If you are using another LDAP server, use the methods described in the associated documentation.

  1. Start the instance of the Sun Java System Directory Server.

  2. Obtain a certificate for the instance and store it in the key database.

    The certificate can be issued by a certificate authority (CA) or it can be self-signed. The certificate includes a server certificate and a private key. For information about different methods of obtaining a certificate, see Sun Java System Directory Server documentation. Remember the secure SSL port on the server. The default port is 636.

  3. Obtain the signer certificate.

    NOTE:If the certificate is issued by a CA, the server certificate includes a signer certificate. If the certificate is self-signed, the server certificate acts as the signer certificate. For more information, see Using Certificates and Keys in the Sun ONE Web Server Administrator's Guide.

  4. Copy the signer certificate to a temporary directory on the computer where the LDAP driver is installed with which you want to enable the SSL communication.

  5. Import the trusted root certificate into a certificate store (also called a keystore) that the driver can use.

    1. If the certificate is in pkcs12 or pfx format, enter the following at the command line and proceed to Step 5c.

      keytool -importkeystore -srckeystore <srcfile> -srcstoretype PKCS12 -destkeystore .keystore -alias <keyAlias>

    2. If the certificate is in base 64 or der format, perform the following:

      1. Use the keytool utility. The utility is found in the jre/bin directory.

        For example, if your public key certificate is saved as PublicKeyCert.b64 on a your local disk and you want to import it into a new certificate store file named .keystore in the current directory, enter the following at the command line: 

        keytool -import -alias TrustedRoot -file A:\PublicKeyCert.b64 -keystore .keystore -storepass keystorepass

      2. When you are asked to trust this certificate, select Yes, then click Enter.

    3. Copy the .keystore file to any directory on the same file system that has the Identity Vault files.

    4. In iManager, select Identity Manager > Identity Manager Overview and search for drivers.

    5. Click the LDAP Driver object, then click it again in the Identity Manager Driver Overview page.

    6. In the Keystore Path parameter, enter the complete path to the .keystore file.

  6. Enable the driver’s SSL parameter and adjust the other SSL parameters as needed. For information, see Driver Parameters.