LSC can encrypt communication with a LDAP server, using either the StartTLS operation (on standard LDAP port, 389) or via SSL/TLS (on a specific port, 636).
You can use the startTLS extended operation to secure a connection on the standard 389 port. This feature is available since LSC 1.1.0.
To enable startTLS on the LDAP connection, set the following node in
<connection> <.../> <tlsActivated>true</tlsActivated> </connection>
You can use SSL/TLS to create a secure tunnel. This implies to use
ldaps:// URI in
<connection> <.../> <url>ldaps://host.domain.org/</url> </connection>
Trusting the certificate¶
Choose one of the two options below to get your server’s certificate trusted.
Global use: LSC will use system-wide JVM Truststore¶
First step, add the CA certificate (which signed the LDAP server certificate) in the JVM running LSC.
This tutorial is written from http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html#CLIENT
First, go to the security folder of your JVM installation:
Then import the CA certificate (we suppose it is in a file named
../../bin/keytool -import -file /path/to/cacert.pem -keystore cacerts
Specific use: LSC will use its own truststore¶
This is exactly the same procedure as described above. But, at the end, LSC will use its own truststore instead of the system-wide JVM truststore.
First step, copy the JVM truststore to your LSC installation:
cp $JAVA_HOME/jre/lib/security/cacerts /etc/lsc/
Then import the new certificate into this truststore:
$JAVA_HOME/bin/keytool -import -file /path/to/cacert.pem \ -keystore /etc/lsc/cacerts
Now, edit the shell script that launches LSC synchronization tasks. We suppose this is
/usr/bin/lsc. Replace the following line:
$JAVA_HOME/bin/java -cp $CLASSPATH org.lsc.Launcher $*
by this line:
$JAVA_HOME/bin/java -cp $CLASSPATH \ -Djavax.net.ssl.trustStore=$CFG_DIR/cacerts \ -Djavax.net.ssl.trustStorePassword=changeit \ org.lsc.Launcher $*