How to use SSL with the LDAP bridge

  1. Configure the properties on the LDAP Bridge Admin console. First you must set the "Use SSL" setting in the admin console to "Yes", then make sure the LDAP port number you're connecting to is the port the LDAP server is using for SSL connections (typically this is port 636 or 10636 for ApacheDS.) Depending on who issued your SSL certificate, you might get away skipping to step four, restarting your Java application server. Most people will likely need to proceed to step 2.

  2. Export the CA Root certificate from your LDAP server. How to do this will vary depending on which LDAP server you're using. It might also be a simple matter of asking your LDAP administrator for the CA Root certificate. Below are some links to sites that show how to do this for a few common LDAP servers. Active Directory: ApacheDS: (the 'other clients, Java programs using JDNI' section is the specifically helpful section of the page.) OpenLDAP: OpenLDAP has a sldap.conf file that says exactly where the CA Root certificate file is located on the file system in a format that is ready to use for the following step. Simply open your sldap.conf file, search for TLSCACertificateFile and copy the certificate file listed there.

  3. Import your CA Root certificate into the cacerts trusted keystore for your JRE running your Java application server. keytool -import -trustcacerts -file C:\path\to\ca\cert\from\ldap\server\retrieved\in\step\one\ca.pem -alias Any_Alias_Name_You_Want_Here -keystore C:\Path\To\Your\JAVA_HOME\Directory\Used\By\Your\Java_Application_Server\jre\lib\security\cacerts keytool is a command-line program that comes with Oracle/Sun Java JRE and JDK. You will need to first change to the directory (cd C:\Program Files\Java\Example\Path\to\JDK\bin) where the keytool program is located, as it typically is not added to the system PATH.

  4. Restart your Java application server. Once the CA Root certificate has been imported into the cacerts file, you can now restart your Java application server and the LDAP bridge should now be working with SSL to encrypt your communication.