3.2.8 Security settings for communication with the LDAP directory server
Security settings are required when communicating using startTLS as the protocol for connecting to the LDAP directory server. You must use the hcmds64keytool command (for Windows) or the keytool command (for Linux) to import the SSL server certificate into the common component truststore.
- Tip
-
You do not need to perform this procedure if you do not use startTLS as the protocol for connecting to the LDAP directory server.
Before you begin
-
Use a secure method to acquire the SSL server certificate to be imported.
-
Check the path of the SSL server certificate to be imported.
-
Check the path of the truststore file.
- In Windows:
-
Common-Component-installation-folder\conf\sec\ldapcacerts
- In Linux:
-
Common-Component-installation-directory/conf/sec/ldapcacerts
-
Check the access password for the truststore. If the truststore already exists, check the password you specified when you created it.
-
The SSL server certificate you are importing must have the following conditions:
- The format is PEM or DER.
- The certificates of all certificate authorities from the certificate authority that issued the SSL server certificate of the LDAP directory server to the root certificate authority are chained.
- The same host name as the CN of the SSL server certificate of the LDAP directory server is specified in "auth.ldap.server-identifier.host" in the Configuration file for external authentication server linkage.
Procedure to import SSL server certificate to truststore of Common Component
You can import an SSL server certificate into the truststore of the Common Component by executing a command. To import an SSL server certificate into the truststore of the Common Component:
-
Execute the following command:
- In Windows:
-
Common-Component-installation-folder\bin\hcmds64keytool -import -alias alias-name -file SSL-server-certificate-path -keystore truststore-file-path -storepass truststore-accesspassword
- In Linux 6, Linux 7, SUSE Linux 12:
-
Common-Component-installation-directory/uCPSB/jdk/bin/keytool -import -alias alias-name -file SSL-server-certificate-path -keystore truststore-file-path -storepass truststore-accesspassword
- In Linux 8:
-
Common-Component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -file SSL-server-certificate-path -keystore truststore-file-path -storepass truststore-accesspassword -storetype JKS
- Important
-
Note the following points when you specify alias-name, truststore-file-path, and truststore-accesspassword by using the hcmds64keytool or keytool command:
-
For alias-name, specify the name used to identify the certificate within the truststore. If there are multiple SSL server certificates, specify an alias that is not already in use in the truststore.
-
The following symbols cannot be used in truststore-file-path:
Colons (:), commas (,), semicolons (;), asterisks (*), question marks (?), double quotation marks ("), left and right angle brackets (< and>), vertical bars (|), and hyphens (-)
-
Specify truststore-file-path as a character string of 255 bytes or fewer.
-
Double quotation marks (") cannot be used in alias-name or truststore-access-password.
-
-
Restart the JP1/AO server.
Procedure to check SSL server certificate of truststore of Common Component
- In Windows:
-
Common-Component-installation-folder\bin\hcmds64keytool -list -v -keystore truststore-file-path -storepass truststore-accesspassword
- In Linux 6, Linux 7, SUSE Linux 12:
-
Common-Component-installation-directory/uCPSB/jdk/bin/keytool -list -v -keystore truststore-file-path -storepass truststore-accesspassword
- In Linux 8:
-
Common-Component-installation-directory/uCPSB11/jdk/bin/keytool -list -v -keystore truststore-file-path -storepass truststore-accesspassword
Procedure to delete SSL server certificate imported into truststore of Common Component
You can delete an SSL server certificate imported into the truststore of the Common Component by executing a command. To delete an SSL server certificate imported into the truststore of the Common Component:
-
Execute the following command:
- In Windows:
-
Common-Component-installation-folder\bin\hcmds64keytool -delete -alias alias-name -keystore truststore-file-path -storepass truststore-accesspassword
- In Linux 6, Linux 7, SUSE Linux 12
-
Common-Component-installation-directory/uCPSB/jdk/bin/keytool -delete -alias alias-name -keystore truststore-file-path -storepass truststore-accesspassword
- In Linux 8:
-
Common-Component-installation-directory/uCPSB11/jdk/bin/keytool -delete -alias alias-name -keystore truststore-file-path -storepass truststore-accesspassword
-
Restart the JP1/AO server.