SSL/TLS activation

LSC can encrypt communication with a LDAP server, using either the StartTLS operation (on standard LDAP port, 389) or via SSL/TLS (on a specific port, 636).

Configuring LSC

StartTLS operation

You can use the startTLS extended operation to secure a connection on the standard 389 port. This feature is available since LSC 1.1.0.

To enable startTLS on the LDAP connection, set the following node in /etc/lsc/lsc.xml:



You can use SSL/TLS to create a secure tunnel. This implies to use ldaps:// URI in lsc.xml:


Trusting the certificate

Choose one of the two options below to get your server’s certificate trusted.

Global use: LSC will use system-wide JVM Truststore

First step, add the CA certificate (which signed the LDAP server certificate) in the JVM running LSC.

This tutorial is written from

First, go to the security folder of your JVM installation:

cd $JAVA_HOME/jre/lib/security/

Then import the CA certificate (we suppose it is in a file named cacert.pem):

../../bin/keytool -import -file /path/to/cacert.pem -keystore cacerts

Specific use: LSC will use its own truststore

This is exactly the same procedure as described above. But, at the end, LSC will use its own truststore instead of the system-wide JVM truststore.

First step, copy the JVM truststore to your LSC installation:

cp $JAVA_HOME/jre/lib/security/cacerts /etc/lsc/

Then import the new certificate into this truststore:

$JAVA_HOME/bin/keytool -import -file /path/to/cacert.pem \
    -keystore /etc/lsc/cacerts

Now, edit the shell script that launches LSC synchronization tasks. We suppose this is /usr/bin/lsc. Replace the following line:

$JAVA_HOME/bin/java -cp $CLASSPATH org.lsc.Launcher $*

by this line:

$JAVA_HOME/bin/java -cp $CLASSPATH \$CFG_DIR/cacerts \ \
    org.lsc.Launcher $*