Scope
- If using LDAP for authentication it is possible to secure the connection with starttls
- This article describes the steps required to set up communication with starttls
Prerequisites
- The Java Keytools is installed with your Java JRE.
- Your LDAP server is configured to use starttls
- When using
starttlsyour LDAP Realm configuration in the shiro configuration file containsldapRealm.useStartTls=true
Set up a secure connection to your LDAP Server
This configuration is applied in order to enable starttls in the communication to the LDAP Server.
In the following the placeholders JOC_HOME, JETTY_HOME and JETTY_BASE are used which locate three directories. If you install Jetty with the JOC installer then
JOC_HOMEis the installation path which is specified during the JOC Cockpit installation:- C:\Program Files\sos-berlin.com\joc (default on Windows)
- /opt/sos-berlin.com/joc (default on Linux)
JETTY_HOME=JOC_HOME/jettyJETTY_BASEis Jetty's base directory which is specified during the JOC Cockpit installation:- C:\ProgramData\sos-berlin.com\joc (default on Windows)
- /home/<setup-user>/sos-berlin.com/joc (default on Linux)
Step 1: Create the Java Keystore for Jetty
- Create the Java Keystore using the Keytools from your Java JRE.
- Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers.
Example
Sample for generate Keystore with private key and certificatekeytool -genkey -alias "joc" -dname "CN=jocHost,O=myCompany" -validity 1461 -keyalg RSA -keysize 1024 -keypass secret_key -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store
Explanations
- Replace the
JETTY_BASEplaceholder as specified above. - The
-dnameoption specifies the certificate issuer, therefore use your own set of CN, OU, DC that specify the issuer's distinguished name. The O setting is required for the issuer. - The
-keypassoption accepts the password that you will need later on to manage your private key. - The
-keystoreoption specifies the location of your Keystore file. - The
-storepassoption specifies the password for access to your Keystore file.
- Replace the
- Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers.
Step 2: Configure Jetty
Edit the following entries in the
JETTY_BASE/resources/joc/joc.propertiesconfiguration file corresponding to the Java Keystore:############################################################################### ### Location of the Java trustore which contains the certificates of each ### JobScheduler Master for HTTPS connections. Path can be absolute or relative ### to this file. truststore_path = ../../etc/joc.jks
Explanations- Specify the location of the Truststore with the
truststore_pathsetting. A location relative to theJETTY_BASEdirectory can be specified.
- Specify the location of the Truststore with the
Step 3: Import your certificat to the JOC Cockpit Web Service Truststore
The following steps are performed on the server that hosts the JOC Cockpit.
Example
Sample for import master certificatekeytool -importcert -noprompt -file "my_LDAP_Certificate.pem" -alias "my_alias" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts