Knowledge Search


×
 

[SRC] Enabling LDAPS for both JDB and external LDAP server

  [KB33948] Show Article Properties


Summary:

This article provides an update on this capability.

Symptoms:

In most scenarios, subscriber repository is stored on an external LDAP server. A common external LDAP server is the Sun ONE Directory Server.

JDB, which is internal to SRC, stores all system-related configuration.

Given this, how do you enable LDAPS for both JDB and an external LDAP server?

Solution:

LDAPS on external LDAP Server, which generally stores the subscriber repository

LDAPS support for subscriber repository on the external LDAP Server (Sun ONE Directory Server for example) is currently supported in existing SRC versions without any patch / code changes.

The procedure to enable LDAPS for the subscriber repository is as follows:

  1. Export the server CA certificate from the external LDAP Server (Sun ONE Directory Server). Check the Sun ONE documentation on how to export the server CA certificate.
  2. Import the above certificate into SRC by using the following command. While importing the certificate, make sure to add it as a trusted CA.

root@src# run request security import-certificate identifier <cert-id> file-name <file-name> 
Version: 3
Serial Number: 115306
Signature Algorithm: MD5withRSA
Issuer: CN=CAcert
Valid From: Wed Aug 09 11:54:40 UTC 2017
Valid Until: Mon Aug 09 11:54:40 UTC 2027
Subject: CN=CAcert
Public key: RSA
Thumbprint Algorithm: SHA1
Thumbprint: a 14 98 b6 bf 3e d2 46 e4 14 c8 7e 5f c0 25 e6 74 b5 96 e7
Do you want to add the above certificate as a trusted CA [yes,no] ? (no) yes      
  1. Use the following command to export the CA certificate with the "certutil” tool.

certutil -L -d <certificate directory> -P <database prefix> -n "< certificate nick name>" -a > <outputfile name>

where:

  • <certificate directory> is the ServerRoot/alias. To know more about the default path of ServerRoot, refer to https://docs.oracle.com/cd/E19850-01/816-6697-10/preface.html#14837.

  • <database prefix> is the prefix of the certificate database file. Usually it is slapd-<YourServerID>-.

  • <certificate nick name> is the nickname of the certificate to export. You can get the nicknames of available certificates by using the certutil -L -d <certificate directory> -P <database prefix> command.

Refer to the following link for more information about SunONE’s SSL and certificates configurations: https://docs.oracle.com/cd/E19199-01/816-6698-10/ssl.html#14365

  1. Configure external directory details for the subscriber repository under the following level:

set shared sae group <sae group name> configuration ldap subscriber-data port-number 636
set shared sae group <sae group name> configuration ldap subscriber-data ldaps
set shared sae group <sae group name> configuration ldap subscriber-data server-address <external LDAP server address>
  1. Restart SAE after performing the above steps. 

LDAPS for JDB (internal LDAP to SRC), which stores all system-related info/config

The local JDB does not have LDAPS support because all communication to the localhost JDB will be loop-backed and need not be secure.

Related Links: