Copyright © TIBCO Software Inc. All Rights Reserved

Configuring the SSL Environment

Configuring the SSL environment involves the following tasks:

•	Converting Certificates to Use SSL at Design Time

You will need to obtain the following from your LDAP server administrator:

1.	The CA (Certificate Authority) certificate that signed the LDAP server certificate.

2.	To use External (client certificate based) authentication, the certificate and private key of the LDAP user that the adapter will authenticate to the LDAP server as a PKCS12 file. Use the administration tools of the LDAP server to export the LDAP user’s certificate and private key.

The samples assume that the PKCS12 file is called userident.p12. The PKCS12 file is encrypted with a password and you will need that as well.

To use SSL for the design-time connection, the certificates and keys must be imported into a keystore as described in Converting Certificates to Use SSL at Design Time.

Converting Certificates to Use SSL at Design Time

To use SSL for the design-time connection to the LDAP server, the CA certificate must be imported into a keystore. Use the Java utility keytool for this.

The command for using this utility is:

TIBCO_HOME\jre\<version>\bin\keytool -import -v -alias alias -file cert_file -keystore keystore

To import the CA certificate from the cacert.der file into the keystore file, TIBCO_HOME\jre\<version>\lib\security\keystore with the alias CAcert, run the following command:

TIBCO_HOME\jre\<version>\bin\keytool -import -v -alias CAcert -file cacert.der -keystore TIBCO_HOME\jre\<version>\lib\security\cacerts

You will be prompted to choose a password. You require this password to import additional certificates into the keystore. Select yes when the keytool prompts you to trust the imported certificate.

To use SSL at design time with anonymous or simple authentication:

In the Design-time Connection tab, specify the following values. For details, see Design-time Connection Tab.

•	Specify the LDAP server (Hostname or IP address).

•	Specify the port number in the LDAP Port field.

•	Check the Use SSL checkbox.

•	In the Trusted Certificate Authorities field, specify the path to the Java keystore you created earlier. In the example above, the keystore file is in the TIBCO_HOME\jre\<version>\lib\security\cacerts folder.

•	Specify the authentication mode to be Simple or Anonymous. If you select Simple authentication, the User DN and Password are mandatory.

•	Click the Test Connection... button to make sure that the design-time adapter can connect to the LDAP server using SSL with the specified parameters.

To use SSL at design time with external authentication:

1.	In the Design-time Connection tab, specify the following values. For details, see Design-time Connection Tab.

−	Enter the LDAP Server (Hostname or IP address).

−	Specify the port number in the LDAP Port field.

−	Check the Use SSL checkbox.

−	In the Trusted Certificate Authorities field, specify the path to the Java keystore you created earlier. In the example above, the keystore file is TIBCO_HOME\jre\<version>\lib\security\cacerts.

2.	Select the External item from the Authentication Mode drop-down list.

3.	In the Client Identity field, specify the full path to the PKCS12 file that has the LDAP user’s certificate and key.

4.	In the Identity Password field, provide the password to the PKCS12 file.

5.	Click the Test Connection... button to make sure that the design-time adapter can connect to the LDAP server using SSL with the specified parameters.

 

Using SSL with the Adapter

To use the SSL protocol with the adapter:

1.	Configure SSL support in the LDAP server. For further information, see Enabling SSL on the LDAP Servers.

2.	Get the LDAP server's certificate and the certificate (chain) of the CA that issued the LDAP server's certificate.

3.	Create certificate stores containing the certificates.

−	For the design-time and runtime connection, use the Java keytool to create a keystore. For details, refer to Converting Certificates to Use SSL at Design Time.

If you are using Active Directory as the LDAP server and setting up a publication service, you must also import the certificate to the systems certificate store on the Microsoft Windows machine that will run the adapter.

4.	Configure the SSL parameters on the Design-time Connection tab. See Design-time Connection Tab.

5.	Configure the SSL parameters on the Runtime Connection tab. See Runtime Connection Tab.

 

You can configure SSL separately for the design-time and runtime connections.

Copyright © TIBCO Software Inc. All Rights Reserved