Configuring SSL

The server can be used through SSL, but you need to configure it. There are many steps to follow in order to obtain a SSL enabled Apache Directory Server

Setting a certificat for the server

You will need a certificate for your server. You have three ways :
- either you buy a certificate from a Certficate Authority (Verisign, etc.)
- Or you ask for a free certificate from CACERT organisation (http://www.cacert.org/)
- Or you create your own certificate, which will not be trusted.

We will do it the last way, because it's easy and fast (you won't have to pay nor to wait to obtain your certificate)

Creating the certificate

We will use the keytool program, which is part of java distribution. Keytool is available online, if you have a Java 1.4 JVM installed. Otherwise, you must install it. You can found this program in $JAVA_HOME/bin/keytool.

We will create a new certificate and store it in a special file, the keystore (it's just a normal file, but usually, when you use keytool, it stores the certificat in the cacerts file which is in $JAVA_HOME/jre/lib/security.

Let's suppose that you want to store your keystore in $HOME/ssl

Here is the command lines to type :

$ cd
$ mkdir ssl
$ keytool -genkey -alias CAS -keyalg RSA -dname "apacheds/Email=elecharny@apache.org, O=apache, C=org"-keypass <KeyPass> -storepass <StorePass> -keystore ~/ssl/CAS.keystore

Here you have two passwords to type : <KeyPass> and <StorePass>. Just get in mind that the KeyPass will be used later in the server configuration, and that the StorePass is used to look into the keyStore.

You can check that the certificate is correctly set into the keystore file :

$ keytool -list -v -keystore ~/ssl/CAS.keystore

 you will be asked for the keyStore password and you will obtain :

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: cas
Creation date: Mar 20, 2006
Entry type: keyEntry
Certificate chain length: 1
Certificate\[1\]:
Owner: CN="apacheds/Email=elecharny@apache.org", O=apache, C=FR
Issuer: CN="apacheds/Email=elecharny@apache.org", O=apache, C=FR
Serial number: 441deaac
Valid from: Mon Mar 20 00:35:08 CET 2006 until: Sun Jun 18 01:35:08 CEST 2006
Certificate fingerprints:
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MD5:&nbsp; EB:E3:C3:B6:C1:F6:31:CC:5C:9C:FA:CC:1D:3F:E0:A1
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SHA1: AC:9C:8F:52:41:51:2E:5E:D2:67:45:9F:29:6D:73:8E:3E:02:B1:9D

\******************************************\*
\******************************************\*

Configuring the Apache Directory Server

 That's easy too. You will have to modify the server.xml file. Just add the following lines in the configuration section :

<bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration">
    <property name="workingDirectory"><value>example.com</value></property>

    <!-- SSL properties -->
    <property name="enableLdaps"><value>true</value></property>
    <property name="ldapsPort"><value>10686</value></property>
    <property name="ldapsCertificateFile"><value>[your home directory]/ssl/CAS.keystore</value></property>
    <property name="ldapsCertificatePassword"><value>[your keypass password]</value></property>

...

That's it ! Of course, you can change the port and the password, but then you will need to regenerate a new certificate.

Connecting to the server

You can check the connection with LdapBrowser for instance :

You will just have to give the SSL port and don't forget to check the SSL box !

Have secure fun!

  • No labels