webmaster
2014-03-04 15:56:09 UTC
A page in your DokuWiki was added or changed. Here are the details:
Date : 2014/03/04 16:56
Browser : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
IP-Address : 88.173.78.196
Hostname : mne69-10-88-173-78-196.fbx.proxad.net
Old Revision: none
New Revision: http://lsc-project.org/wiki/documentation/howto/ssltls
Edit Summary: created
User : coudot
====== SSL and TLS activation ======
LSC can encrypt communication with a LDAP server, using either the StartTLS operation (on standard LDAP port, 389) or via SSL (on a specific port, 636).
===== Configuring LSC =====
==== TLS (StartTLS operation) ====
You can use the startTLS extended operation to secure a connection on the standard 389 port. This feature is available since LSC 1.1.0.
To enable TLS on the LDAP connection, set the following node in //lsc.xml//:
<code xml>
<connection>
<.../>
<tlsActivated>true</tlsActivated>
</connection>
</code>
==== SSL ====
You can use SSL to create a secure tunnel. This implies to use ldaps:%%/%%/ URI in lsc.xml:
<code xml>
<connection>
<.../>
<url>ldaps://localhost/</url>
</connection>
</code>
===== Trusting the certificate =====
Choose one of the two options below to get your server's certificate trusted.
==== Global use: LSC will use system-wide JVM Truststore ====
First step, add the CA certificate (which signed the LDAP server certificate) in the JVM running LSC.
This tutorial is written from http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html#CLIENT
First, go to the security folder of your JVM installation:
<code>
cd $JAVA_HOME/jre/lib/security/
</code>
Then import the CA certificate (we suppose it is in a file named cacert.pem):
<code>
../../bin/keytool -import -file /path/to/cacert.pem -keystore jssecacerts
</code>
==== Specific use: LSC will use its own truststore ====
This is exactly the same procedure as described above. But, at the end, LSC will use its own truststore instead of the system-wide JVM truststore.
First step, copy the JVM truststore to your LSC installation:
<code>
cp $JAVA_HOME/jre/lib/security/cacerts /usr/local/lsc/etc
</code>
Then import the new certificate into this truststore:
<code>
$JAVA_HOME/bin/keytool -import -file /path/to/certificate.pem \
-keystore /usr/local/lsc/etc/cacerts
</code>
Now, edit the shell script that launches LSC synchronization tasks. We suppose this is /usr/local/lsc/bin/lsc. Replace the following line:
<code>
$JAVA_HOME/bin/java -cp $CLASSPATH org.lsc.Launcher $*
</code>
by this line:
<code>
$JAVA_HOME/bin/java -cp $CLASSPATH \
-Djavax.net.ssl.trustStore=$CFG_DIR/cacerts \
-Djavax.net.ssl.trustStorePassword=changeit \
org.lsc.Launcher $*
</code>
Date : 2014/03/04 16:56
Browser : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
IP-Address : 88.173.78.196
Hostname : mne69-10-88-173-78-196.fbx.proxad.net
Old Revision: none
New Revision: http://lsc-project.org/wiki/documentation/howto/ssltls
Edit Summary: created
User : coudot
====== SSL and TLS activation ======
LSC can encrypt communication with a LDAP server, using either the StartTLS operation (on standard LDAP port, 389) or via SSL (on a specific port, 636).
===== Configuring LSC =====
==== TLS (StartTLS operation) ====
You can use the startTLS extended operation to secure a connection on the standard 389 port. This feature is available since LSC 1.1.0.
To enable TLS on the LDAP connection, set the following node in //lsc.xml//:
<code xml>
<connection>
<.../>
<tlsActivated>true</tlsActivated>
</connection>
</code>
==== SSL ====
You can use SSL to create a secure tunnel. This implies to use ldaps:%%/%%/ URI in lsc.xml:
<code xml>
<connection>
<.../>
<url>ldaps://localhost/</url>
</connection>
</code>
===== Trusting the certificate =====
Choose one of the two options below to get your server's certificate trusted.
==== Global use: LSC will use system-wide JVM Truststore ====
First step, add the CA certificate (which signed the LDAP server certificate) in the JVM running LSC.
This tutorial is written from http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html#CLIENT
First, go to the security folder of your JVM installation:
<code>
cd $JAVA_HOME/jre/lib/security/
</code>
Then import the CA certificate (we suppose it is in a file named cacert.pem):
<code>
../../bin/keytool -import -file /path/to/cacert.pem -keystore jssecacerts
</code>
==== Specific use: LSC will use its own truststore ====
This is exactly the same procedure as described above. But, at the end, LSC will use its own truststore instead of the system-wide JVM truststore.
First step, copy the JVM truststore to your LSC installation:
<code>
cp $JAVA_HOME/jre/lib/security/cacerts /usr/local/lsc/etc
</code>
Then import the new certificate into this truststore:
<code>
$JAVA_HOME/bin/keytool -import -file /path/to/certificate.pem \
-keystore /usr/local/lsc/etc/cacerts
</code>
Now, edit the shell script that launches LSC synchronization tasks. We suppose this is /usr/local/lsc/bin/lsc. Replace the following line:
<code>
$JAVA_HOME/bin/java -cp $CLASSPATH org.lsc.Launcher $*
</code>
by this line:
<code>
$JAVA_HOME/bin/java -cp $CLASSPATH \
-Djavax.net.ssl.trustStore=$CFG_DIR/cacerts \
-Djavax.net.ssl.trustStorePassword=changeit \
org.lsc.Launcher $*
</code>
--
This mail was generated by DokuWiki at
http://lsc-project.org/wiki/
This mail was generated by DokuWiki at
http://lsc-project.org/wiki/