Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 16

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The Java Keytools is installed with your Java JRE.
  • Your LDAP server is configured to use STARTTLS.

  • When using starttls your LDAP realm configuration in the shiro.ini configuration file should contain ldapRealm.useStartTls=true as in the following example:

    Code Block
    languagetext
    ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://myHost:389 
ldapRealm.useStartTls=true
 
securityManager.realms = $ldapRealm

...

Flowchart
JOC [label="   JOC Cockpit   ",fillcolor="lightskyblue"]
LDAP [label="   LDAP Server   ",fillcolor="lightskyblue"]
 
JOC_Truststore [label="JOC Cockpit Truststore\n./jetty_base/etc/joc.jks\nCA certificates\nLDAP server public certificate",fillcolor="orange"]
LDAP_Keystore [label="LDAP Server Keystore\nLDAP Server Private Key",fillcolor="orange"]

CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"]
CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate",fillcolor="white"]

LDAP_PrivateKey [shape="ellipse",label="LDAP Server Private Key",fillcolor="white"]
LDAP_Keystore_Certificate [shape="ellipse",label="LDAP Server Public Certificate",fillcolor="white"]
LDAP_Truststore_Certificate [shape="ellipse",label="LDAP Server Public Certificate",fillcolor="white"]

LDAP -> LDAP_Keystore 
LDAP -> LDAP_Truststore_Certificate [label=" transfer to JOC Cockpit            "] 
LDAP_Keystore -> LDAP_PrivateKey -> LDAP_Keystore_Certificate [label=" in keystore "]

# JOC -> LDAP [label=" establish LDAP connection "]
JOC -> JOC_Truststore
JOC_Truststore -> CA_RootCertificate -> CA_IntermediateCertificate [label=" add to truststore "]
CA_IntermediateCertificate -> LDAP_Truststore_Certificate [label=" add to truststore "]

...

    • Example for import of a public certificate to a JOC Cockpit Truststore in JKS format:

      Code Block
      languagetextbash
      titleExmple for import of LDAP Server public certificate to JKS Keystore
      # import LDAP server public certificate to a truststore (joc.jks) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap)
keytool -importcert -noprompt -file "ldap-certificate.crt" -alias "ldap" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts

    • Example for import of a public certificate to a JOC Cockpit Truststore in PKCS12 format:

      Code Block
      languagetextbash
      titleExmple for import of LDAP Server public certificate to PKCS12 Keystore
      # import LDAP server public certificate to a truststore (joc.p12) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap)
keytool -importcert -noprompt -file "ldap-certificate.crt" -alias "my_aliasldap" -keystore "JETTY_BASE/etc/joc.p12" -storetype pkcs12 -storepass secret_store -trustcacerts
  • The -keystore option specifies the location of your Truststore file.
  • The -storepass option specifies the password for access to your Truststore file.
  • The public certificate file ldap-ertificate.crt has been created on should be available from the LDAP server. Transfer this file to the JOC Cockpit server. Alternatively the public certificate can be requested on-the-fly.

    • Example for export request of public certificate:
       

      Code Block
      languagetextbash
      titleExample for export request of public certificate from LDAP server
      # connect to the LDAP server 
certutil -S -n "SOS_LDAP" -s "cn=myCn" -c "SOS_LDAP CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa
certutil -L -d . -n "SOS_LDAP CA certificate" -a > ldap-certificate.crt(ldap_server) with the available port (636), in the server response you should find the public certificate that you can copy & paste to a certificate file
openssl s_client -connect ldap_server:636
  • If the public certificate is signed by a CA then the certificate should include the certificate chain of CA Root Certificate and CA Intermediate Certificate. Otherwise it might be required to concatenate the certificates into one file, for example:


    Code Block
    languagebash
    titleExample for export of public certificate
    # concatenate CA root certificate and CA intermediate certificate to a single CA Bundle certificate file (ca-bundle.crt)
cat RootCACertificate.crt > certificates.crt
cat CACertificate.crt >> certificates.crt
cat ldap-certificate.crt >> certificates.crt

# import LDAP server public certificate and certificate chain to a truststore (joc.jks) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap)
keytool -importcert -noprompt -file "certificates.crt" -alias "ldap" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts

Configure JOC Cockpit Truststore

...