SSL and TLS activation

LSC can encrypt communication with a LDAP server, using either the StartTLS operation (on standard LDAP port, 389) or via SSL (on a specific port, 636).

You can use the startTLS extended operation to secure a connection on the standard 389 port. This feature is available since LSC 1.1.0.

To enable TLS on the LDAP connection, set the following property in lsc.properties:

dst.java.naming.tls = true

Replace “dst” with “src” above if necessary.

You can use SSL to create a secure tunnel. This implies to use ldaps:// URI in lsc.properties:

dst.java.naming.provider.url = ldaps://localhost/

Replace “dst” with “src” above if necessary.

Choose one of the two options below to get your server's certificate trusted.

First step, add the CA certificate (which signed the LDAP server certificate) in the JVM running LSC.

This tutorial is written from http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html#CLIENT

First, go to the security folder of your JVM installation:

cd /usr/java/jdk1.5.0_16/jre/lib/security/

Then import the CA certificate (we suppose it is in a file named cacert.pem):

../../bin/keytool -import -file /path/to/cacert.pem -keystore jssecacerts

This is exactly the same procedure as described above. But, at the end, LSC will use its own truststore instead of the system-wide JVM truststore.

First step, copy the JVM truststore to your LSC installation:

cp /usr/java/jdk1.5.0_16/jre/lib/security/cacerts /usr/local/lsc/etc

Then import the new certicate into this truststore:

/usr/java/jdk1.5.0_16/bin/keytool -import -file /path/to/certificate.pem \
  -keystore /usr/local/lsc/etc/cacerts

Now, edit the shell script that launches LSC synchronization tasks. We suppose this is /usr/local/lsc/bin/lsc. Replace the following line:

$JAVA_HOME/bin/java -cp $CLASSPATH org.lsc.Launcher $*

by this line:

$JAVA_HOME/bin/java -cp $CLASSPATH \
  -Djavax.net.ssl.trustStore=$CFG_DIR/cacerts \
  -Djavax.net.ssl.trustStorePassword=changeit \
  org.lsc.Launcher $*