Dashboard > Penrose 2.0 > ... > Penrose Server User Guide > SSL
Added by Endi S. Dewata, last edited by Endi S. Dewata on Jul 15, 2008  (view change)
Labels: 
(None)


Introduction

This page describes how to configure Penrose to accept LDAP connections over SSL. To configure Penrose to use SSL when connecting to data sources see Connections.

Java 1.5

SSL is only supported with Java 1.5 or later. Make sure the JAVA_HOME environment variable is pointing to the correct version of JDK.

SSL Certificate

To configure SSL you need to obtain an SSL certificate from a Certificate Authority (CA) such as VeriSign or Thawte, or create a self-signed certificate.

To generate a private key and create a self-signed certificate:

cd PENROSE_SERVER_HOME
keytool -genkey -keyalg RSA -alias penrose -keystore conf/penrose.keystore

Note: you can change the alias and the keystore name/location.

Verify your certificate:

keytool -list -keystore conf/penrose.keystore

If you have an existing certificate with its private key you can convert it to PKCS12:

openssl pkcs12 -export -inkey private.pem -in certificate.pem -out conf/penrose.p12

The PKCS12 certificate can be used by OpenDS.

Apache DS Service

See Apache DS.

OpenDS Service

See OpenDS Service.

Verification

Restart Penrose Server, connect with an LDAP client that supports SSL.

Using OpenLDAP client you have to install the CA certificate or the server certificate first. If your certificate is stored in a keystore file you need to export it using the following command:

keytool -export -alias penrose -keystore conf/penrose.keystore -file penrose.pem -rfc

Edit /etc/openldap/ldap.conf, check the TLS_CACERTDIR parameter. If it has not been set previously, add the following line:

TLS_CACERTDIR /etc/openldap/cacerts

Copy the certificate into the directory specified in TLS_CACERTDIR parameter. Then execute the following command:

c_rehash /etc/openldap/cacerts

If for some reason the above method does not work, try using TLS_CACERT (instead of TLS_CACERTDIR) parameter to specify the certificate file:

TLS_CACERT /etc/openldap/cacerts/penrose.pem

Now you can search Penrose using the following command:

ldapsearch -H ldaps://localhost:10636 -x -b "" -s base

It should return the Root DSE.

You can also verify the certificate returned by Penrose by issuing the following command:

openssl s_client -connect localhost:10636 -showcerts

Press Ctrl-C to stop the program.

References
Site running on a free Atlassian Confluence Open Source Project License granted to Safehaus. Evaluate Confluence today.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.5.4 Build:#809 Jun 12, 2007) - Bug/feature request - Contact Administrators