[Contents] [Prev] [Next] [Index] [Report an Error]

LDAPS Connections

The SAE supports LDAPS (LDAP over SSL) connections to the directory server. LDAPS is not a standard, but it is well supported by most directories, including OpenLDAP, Sun ONE Directory Server, and DirX. Secure channels protected by SSL are useful for such purposes as sending and receiving attributes that contain passwords and keys.

The SAE employs multiple directory connections for its components. For example, the UserDataManager and ServiceDataManager components each have their own independent directory connections. The SAE is capable of simultaneous LDAP and LDAPS connections, so you can configure the SAE to use LDAPS for some directory connections and LDAP for other directory connections. For example, if you want the data exchanged between UserDataManager and the directory to be more secure, you can configure the connection to use LDAPS.

For public data that does not require the security of SSL (such as the ServiceDataManager's directory connection), you can configure LDAP rather than LDAPS. LDAPS connections use more CPU and network bandwidth resources than LDAP connections and are slower than LDAP connections.

When a directory client initiates an LDAPS connection, the SSL connection is established if the client trusts the X.509 SSL server certificate sent by the server. The server requires a bind DN and password to authenticate the client before it establishes the LDAP connection over SSL. The client then sends data over the SSL connection. The SDX software does not support certificate authentication for directory clients. The following steps illustrate the authentication and connection sequence:

  1. Directory client initiates LDAPS connection.
  2. Directory server sends the X.509 SSL server certificate that it has received from a certificate authority.
  3. Client checks certificate against its trust certificate store. If it matches, certificate is trusted.
  4. Client proceeds with establishing SSL connection.
  5. When SSL connection is up, client sends bind DN and password to server to establish LDAP connection.
  6. Server authenticates client and establishes the LDAP over SSL connection.

Configuring LDAPS

To configure LDAPS connections:

  1. Configure the directory server to support LDAPS connections to directory clients.
  2. Ensure that the directory clients trust the CA that issued the server certificate.
  3. Configure the SAE to find the trust certificate store.
  4. Configure the SAE to use LDAPS to communicate with the directory server.

Configuring the Directory Server

You must configure your directory server to support SSL connections. This configuration consists of setting up the directory server with an X.509 SSL server certificate and enabling SSL. Typically, you must first obtain a signed certificate for the directory server from a CA, install the certificate for the server, and configure the directory server to trust the CA's certificate. Then, follow your directory server documentation to enable SSL; the procedure varies among directory servers.

There are many well-known CAs. You can also set up your own CA to sign the directory certificate. The CA must be trusted by the directory clients that are going to use LDAPS to communicate with the directory. Many tools are available to set up a CA; one such is OpenSSL (http://www.openssl.org).

Establishing Trust

Each directory client must have a certificate database and must trust the CA. Otherwise, the client will be unable to use the SSL connection to the directory server.

Java applications, such as the SAE, implicitly trust certificates stored in the /jre/lib/security/cacerts certificate file, which is a JRE system-wide certificate trust store. By default, the file contains certificates from some well-known CAs. If a certificate for the CA that you use for the directory server is available in cacerts, you can skip this step. View the file on the host where you installed the JRE.

If your CA is not in cacerts, you can import it into this file or into any certificate store that is in the JKS format (supported by the Java 2 SDK). All Java applications running in a given JRE trust all CAs present in the cacerts file.

In some circumstances you might want the CA certificate to be located elsewhere. For example, suppose you want your SAE to trust only the certificate for the CA that signs the directory server's certificate. Another case is if you do not want other applications that are running in the same JRE to trust the CA's certificate. In either case, use the Java keytool to import that CA's certificate into a store different from the default cacerts file. The following example imports the CA's certificate ca.crt into a trust store named as ldapclient.keystore.

keytool -import -v -trustcacerts -alias saeldap -noprompt -file ./ca.crt -keystore 
ldapclient.keystore -storepass zaqwsx

See http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html for more information.

Configuring the SAE to Find the Certificate Store

If you are using a certificate file other than the default, then specify the name and path of the file in the Security.ssl.trustcertstore property in the /opt/UMC/ssp/etc/default.properties file. The following example points to the trustcerts file:

Security.ssl.trustcertstore = /opt/UMC/ssp/etc/trustcerts

Alternatively, to enable the SAE to use the default cacerts file, you must comment out the Security.ssl.trustcertstore property.

Configuring LDAPS Communication

To enable an LDAPS connection for an SAE component, set its security protocol property to ldaps. To disable an LDAPS connection for that component, comment out the property. Table 27 lists some SAE components and their corresponding LDAP configuration properties.

Table 27: SAE security protocol properties 
SAE Component
Security Protocol Property

Configuration Manager

Conf.directory.security.protocol

User Data Manager

UserDataSource.repository.ldap.server.security.protocol

Equipment Data Manager

UserCacheDataSource.repository.ldap.server.security.protocol

Service Data Manager

ServiceDataSource.repository.ldap.server.security.protocol

LDAP Authentication Plug-in

Plugin.ldapAuth.securityProtocol

EASP User Data Manager

ent.repository.ldap.subscriber.manager.security.protocol

EASP Service Data Manager

ent.repository.ldap.service.manager.security.protocol

License Manager

LicenseMgr.repository.ldap.server.security.protocol

By default, directory servers use port 389 to accept an LDAP connection. For LDAPS connections, the default port number is 636, but you can use a different number. You must set the server port number in the server port properties of the SAE components listed in Table 28.

Table 28: SAE server port properties 
SAE Component
Server Port Property

Configuration Manager

Conf.directory.port

User Data Manager

UserDataSource.repository.ldap.server.port

Equipment Data Manager

UserCacheDataSource.repository.ldap.server.port

Service Data Manager

ServiceDataSource.repository.ldap.server.port

EASP User Data Manager

ent.repository.ldap.subscriber.server.port

EASP Service Data Manager

ent.repository.ldap.service.server.port

License Manager

LicenseMgr.repository.ldap.server.port

Modifying Properties for LDAPS

You can modify the following properties by editing /opt/UMC/ssp/etc/default.properties:

Select the configuration object file in SDX Admin under I=SAE,ou=staticConfiguration,ou=Configuration,o=Management,o=umc to modify any of the following properties:

Select the configuration object file in SDX Admin under I=EASP,ou=staticConfiguration,ou=Configuration,o=Management,o=umc to modify either of the following properties:

[Contents] [Prev] [Next] [Index] [Report an Error]