Skip to end of metadata
Go to start of metadata

Scope

  • If using LDAP for authentication it is possible to secure the connection with STARTTLS.
  • This article describes the steps required to set up communication with STARTTLS.

Prerequisites

  • The Java Keytools is installed with your Java JRE.
  • Your LDAP server is configured to use STARTTLS.
  • When using starttls your LDAP realm configuration in the shiro.ini configuration file contains:
    ldapRealm.useStartTls=true

Set up a secure connection to your LDAP Server 

This configuration is applied in order to enable STARTTLS in the communication to the LDAP Server.

In the following the placeholders JOC_HOMEJETTY_HOME and JETTY_BASE are used which locate three directories. If you install Jetty with the JOC installer then

  • JOC_HOME is the installation path which is specified during the JOC Cockpit installation:
    • C:\Program Files\sos-berlin.com\joc (default on Windows)
    • /opt/sos-berlin.com/joc (default on Linux)
  • JETTY_HOME = JOC_HOME/jetty
  • JETTY_BASE is Jetty's base directory which is specified during the JOC Cockpit installation:
    • C:\ProgramData\sos-berlin.com\joc (default on Windows)
    • /home/<setup-user>/sos-berlin.com/joc (default on Linux)

Step 1: Create Truststore and import your certificate to the JOC Cockpit Web Service Truststore

The following steps are performed on the server that hosts the JOC Cockpit.

You can use the Java Keystore that will be created with the private key for the HTTPS support in Jetty.  Please note that probably you have to create the directory JETTY_BASE/etc

    • Example

      Sample for import master certificate
  • The -keystore option specifies the location of your Truststore file.
  • The -storepass option specifies the password for access to your Truststore file.
  • The file my_LDAP_Certificate.pem has been created on the LDAP server. Transfer this file to the local machine.
    • certutil -S -n "SOS_LDAP" -s "cn=myCn" -c "SOS_LDAP CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa

    • certutil -L -d . -n "SOS_LDAP CA certificate" -a > my_LDAP_Certificate.pem

Step 2: Configure Jetty

  • Edit the following entries in the JETTY_BASE/resources/joc/joc.properties configuration file corresponding to the Java Keystore:


    Explanations

    • Specify the location of the Truststore with the truststore_path setting. A location relative to the JETTY_BASE directory can be specified.
  • No labels