Introduction
LDAP authentication for the JOC Cockpit relies on a connection between the LDAP server and the JOC Cockpit web services. It is likely to be desirable for this connection to be secured as it otherwise is vulnerable to, for example, a man-in-the-middle attack.
The LDAP server - web services connection can be secured using two commonly available protocols StartTLS and LDAPS.
Connection Content Encryption with StartTLS
StartTLS in an extension to the LDAP protocol which uses TLS protocol to encrypt communication. It works by establishing a normal - i.e. insecure - connection with the LDAP server before a handshake negotiation between the server and the web services is carried out. Here, the server sends its certificate to prove its identity before the secure connection is established. If a secure connection is not established, the connection will remain insecure and therefore vulnerable to man-in-the-middle attacks. StartTLS uses a secure port (e.g. 636) and a unsecured port (e.g. 389, the standard LDAP connection port).
Connection Encryption with LDAPS
LDAPS is a non-official protocol that in contrast with StartTLS only allows communication over a secure port such as 636. It establishes the secure connection before there is any communication with the LDAP serever. LDAPS generally provides protection against man-in-the-middle attacks and a higher level of security than StartTLS as it explicitly does not allow insecure LDAP connections.
Scope
- The current article describes the configuration of StartTLS for use with the JOC Cockpit web services. Users withing to implement LDAPS with the JOC Cockpit should refer to specialist literature.
Prerequisites for StartTLS
- The Java Keytools is installed with your Java JRE.
- Your LDAP server is configured to use STARTTLS.
- When using
starttlsyour LDAP realm configuration in the shiro.ini configuration file contains:ldapRealm.useStartTls=true
Set up a secure connection to your LDAP Server
This configuration is applied in order to enable STARTTLS in the communication to the LDAP Server.
In the following the placeholders JOC_HOME, JETTY_HOME and JETTY_BASE are used which locate three directories. If you install Jetty with the JOC installer then
JOC_HOMEis the installation path which is specified during the JOC Cockpit installation:- C:\Program Files\sos-berlin.com\joc (default on Windows)
- /opt/sos-berlin.com/joc (default on Linux)
JETTY_HOME=JOC_HOME/jettyJETTY_BASEis Jetty's base directory which is specified during the JOC Cockpit installation:- C:\ProgramData\sos-berlin.com\joc (default on Windows)
- /home/<setup-user>/sos-berlin.com/joc (default on Linux)
Step 1: Create Truststore and import your certificate to the JOC Cockpit Web Service Truststore
The following steps are performed on the server that hosts the JOC Cockpit.
You can use the Java Keystore that will be created with the private key for the HTTPS support in Jetty. Please note that probably you have to create the directory JETTY_BASE/etc
Example
Sample for import master certificatekeytool -importcert -noprompt -file "my_LDAP_Certificate.pem" -alias "my_alias" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts
- The
-keystoreoption specifies the location of your Truststore file. - The
-storepassoption specifies the password for access to your Truststore file. - The file my_LDAP_Certificate.pem has been created on the LDAP server. Transfer this file to the local machine.
certutil -S -n "SOS_LDAP" -s "cn=myCn" -c "SOS_LDAP CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa
certutil -L -d . -n "SOS_LDAP CA certificate" -a > my_LDAP_Certificate.pem
Step 2: Configure Jetty
Edit the following entries in the
JETTY_BASE/resources/joc/joc.propertiesconfiguration file corresponding to the Java Keystore:truststore_path = ../../etc/joc.jks
Explanations- Specify the location of the Truststore with the
truststore_pathsetting. A location relative to theJETTY_BASEdirectory can be specified.
- Specify the location of the Truststore with the