Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:howto:ssltls [2017/01/30 17:10] (current)
Line 1: Line 1:
 +====== SSL and TLS activation ======
 +
 +LSC can encrypt communication with a LDAP server, using either the StartTLS operation (on standard LDAP port, 389) or via SSL (on a specific port, 636).
 +
 +===== Configuring LSC =====
 +
 +==== TLS (StartTLS operation) ====
 +
 +You can use the startTLS extended operation to secure a connection on the standard 389 port. This feature is available since LSC 1.1.0.
 +
 +To enable TLS on the LDAP connection, set the following node in //​lsc.xml//:​
 +<code xml>
 +<​connection>​
 +  <​.../>​
 +  <​tlsActivated>​true</​tlsActivated>​
 +</​connection>​
 +</​code>​
 +
 +
 +==== SSL ====
 +
 +You can use SSL to create a secure tunnel. This implies to use ldaps:​%%/​%%/​ URI in lsc.xml:
 +
 +<code xml>
 +<​connection>​
 +  <​.../>​
 +  <​url>​ldaps://​localhost/</​url>​
 +</​connection>​
 +</​code>​
 +
 +===== Trusting the certificate =====
 +
 +Choose one of the two options below to get your server'​s certificate trusted.
 +
 +==== Global use: LSC will use system-wide JVM Truststore ====
 +
 +First step, add the CA certificate (which signed the LDAP server certificate) in the JVM running LSC.
 +
 +This tutorial is written from http://​java.sun.com/​products/​jndi/​tutorial/​ldap/​security/​ssl.html#​CLIENT
 +
 +First, go to the security folder of your JVM installation:​
 +<​code>​
 +cd $JAVA_HOME/​jre/​lib/​security/​
 +</​code>​
 +
 +Then import the CA certificate (we suppose it is in a file named cacert.pem):​
 +<​code>​
 +../​../​bin/​keytool -import -file /​path/​to/​cacert.pem -keystore jssecacerts
 +</​code>​
 +
 +==== Specific use: LSC will use its own truststore ====
 +
 +This is exactly the same procedure as described above. But, at the end, LSC will use its own truststore instead of the system-wide JVM truststore.
 +
 +First step, copy the JVM truststore to your LSC installation:​
 +<​code>​
 +cp $JAVA_HOME/​jre/​lib/​security/​cacerts /​usr/​local/​lsc/​etc
 +</​code>​
 +
 +Then import the new certificate into this truststore:
 +<​code>​
 +$JAVA_HOME/​bin/​keytool -import -file /​path/​to/​certificate.pem \
 +  -keystore /​usr/​local/​lsc/​etc/​cacerts
 +</​code>​
 +
 +Now, edit the shell script that launches LSC synchronization tasks. We suppose this is /​usr/​local/​lsc/​bin/​lsc. Replace the following line:
 +
 +<​code>​
 +$JAVA_HOME/​bin/​java -cp $CLASSPATH org.lsc.Launcher $*
 +</​code>​
 +
 +by this line:
 +<​code>​
 +$JAVA_HOME/​bin/​java -cp $CLASSPATH \
 +  -Djavax.net.ssl.trustStore=$CFG_DIR/​cacerts \
 +  -Djavax.net.ssl.trustStorePassword=changeit \
 +  org.lsc.Launcher $*
 +</​code>​