Skip to end of metadata
Go to start of metadata

Scope

  • If using LDAP for authentication it is possible to secure the connection with STARTTLS.
  • This article describes the steps required to set up communication with STARTTLS.

Prerequisites

  • The Java Keytools is installed with your Java JRE.
  • Your LDAP server is configured to use STARTTLS.
  • When using starttls your LDAP realm configuration in the shiro.ini configuration file contains:
    ldapRealm.useStartTls=true

Set up a secure connection to your LDAP Server 

This configuration is applied in order to enable STARTTLS in the communication to the LDAP Server.

In the following the placeholders JOC_HOMEJETTY_HOME and JETTY_BASE are used which locate three directories. If you install Jetty with the JOC installer then

  • JOC_HOME is the installation path which is specified during the JOC Cockpit installation:
    • C:\Program Files\sos-berlin.com\joc (default on Windows)
    • /opt/sos-berlin.com/joc (default on Linux)
  • JETTY_HOME = JOC_HOME/jetty
  • JETTY_BASE is Jetty's base directory which is specified during the JOC Cockpit installation:
    • C:\ProgramData\sos-berlin.com\joc (default on Windows)
    • /home/<setup-user>/sos-berlin.com/joc (default on Linux)

Step 1: Create the Java Keystore for Jetty

  • Create the Java Keystore using the Keytools from your Java JRE.
    • Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers. Please note that probably you have to create the directory JETTY_BASE/etc
      • Example

        Sample for generate Keystore with private key and certificate

        Explanations

        • Replace the JETTY_BASE placeholder as specified above.
        • The -dname option specifies the certificate issuer, therefore use your own set of CN, OU, DC that specify the issuer's distinguished name. The O setting is required for the issuer.
        • The -keypass option accepts the password that you will need later on to manage your private key. 
        • The -keystore option specifies the location of your Keystore file.
        • The -storepass option specifies the password for access to your Keystore file.

 

Step 2: Configure Jetty

  • Edit the following entries in the JETTY_BASE/resources/joc/joc.properties configuration file corresponding to the Java Keystore:


    Explanations

    • Specify the location of the Truststore with the truststore_path setting. A location relative to the JETTY_BASE directory can be specified.

     

Step 3: Import your certificate to the JOC Cockpit Web Service Truststore

The following steps are performed on the server that hosts the JOC Cockpit.

    • Example

      Sample for import master certificate
  • No labels