3.2.8 Security settings for communication with the LDAP directory server

Before you begin

• Use a secure method to acquire the SSL server certificate to be imported.

• Check the path of the SSL server certificate to be imported.

• Check the path of the truststore file.

  In Windows:

  Common-Component-installation-folder\conf\sec\ldapcacerts

  In Linux:

  Common-Component-installation-directory/conf/sec/ldapcacerts

• Check the access password for the truststore. If the truststore already exists, check the password you specified when you created it.

• The SSL server certificate you are importing must have the following conditions:

  • The format is PEM or DER.
  • The certificates of all certificate authorities from the certificate authority that issued the SSL server certificate of the LDAP directory server to the root certificate authority are chained.
  • The same host name as the CN of the SSL server certificate of the LDAP directory server is specified in "auth.ldap.server-identifier.host" in the Configuration file for external authentication server linkage.

Procedure to import SSL server certificate to truststore of Common Component

You can import an SSL server certificate into the truststore of the Common Component by executing a command. To import an SSL server certificate into the truststore of the Common Component:

1. Execute the following command:

   In Windows:

   Common-Component-installation-folder\bin\hcmds64keytool -import -alias alias-name -file SSL-server-certificate-path -keystore truststore-file-path -storepass truststore-accesspassword

   In Linux 6, Linux 7, SUSE Linux 12:

   Common-Component-installation-directory/uCPSB/jdk/bin/keytool -import -alias alias-name -file SSL-server-certificate-path -keystore truststore-file-path -storepass truststore-accesspassword

   In Linux 8:

   Common-Component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file SSL-server-certificate-path -keystore truststore-file-path -storepass truststore-accesspassword -storetype JKS

   Important

   Note the following points when you specify alias-name, truststore-file-path, and truststore-accesspassword by using the hcmds64keytool or keytool command:

   • For alias-name, specify the name used to identify the certificate within the truststore. If there are multiple SSL server certificates, specify an alias that is not already in use in the truststore.

   • The following symbols cannot be used in truststore-file-path:

     Colons (:), commas (,), semicolons (;), asterisks (*), question marks (?), double quotation marks ("), left and right angle brackets (< and>), vertical bars (|), and hyphens (-)

   • Specify truststore-file-path as a character string of 255 bytes or fewer.

   • Double quotation marks (") cannot be used in alias-name or truststore-access-password.

2. Restart the JP1/AO server.

Procedure to check SSL server certificate of truststore of Common Component

Procedure to delete SSL server certificate imported into truststore of Common Component

You can delete an SSL server certificate imported into the truststore of the Common Component by executing a command. To delete an SSL server certificate imported into the truststore of the Common Component:

1. Execute the following command:

   In Windows:

   Common-Component-installation-folder\bin\hcmds64keytool -delete -alias alias-name -keystore truststore-file-path -storepass truststore-accesspassword

   In Linux 6, Linux 7, SUSE Linux 12

   Common-Component-installation-directory/uCPSB/jdk/bin/keytool -delete -alias alias-name -keystore truststore-file-path -storepass truststore-accesspassword

   In Linux 8:

   Common-Component-installation-directory/uCPSB11/jdk/bin/keytool -delete -alias alias-name -keystore truststore-file-path -storepass truststore-accesspassword

2. Restart the JP1/AO server.