Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 3 Server Settings and Migration : Configuring LDAP Integration With SSL Connections

Configuring LDAP Integration With SSL Connections
You can use SSL to secure the user and group data transmitted to your TIBCO servers and applications from the LDAP directory server. Doing so ensures privacy, integrity, and authenticity of data from the LDAP directory server.
TIBCO Domain Utility specifies SSL usage for the LDAP integration of an administration domain. Once SSL is specified for a domain’s LDAP integration, the administration servers and applications depend on the security features of the JVM they run on in order to establish SSL connections with the LDAP server (and do not actively participate in establishing the SSL connections).
To configure an administration domain to connect to the LDAP directory server over SSL, you must do the following:
Task A Enable SSL on the LDAP Directory Server
You must first enable SSL authentication on the LDAP directory server with which the administration domain is integrated. You may need to contact your IT department in your organization that manages your LDAP servers. This requires installing a valid server certificate and CA trust certificate from a certificate authority on the LDAP directory server. Go to one of the following links for information on enabling SSL on your LDAP directory server:
For Microsoft Active Directory 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;247078#1
For Microsoft Active Directory 2003:
http://support.microsoft.com/kb/321051
For Sun ONE Directory Server 5.1:
http://docs.sun.com/source/816-5606-10/ssl.htm#996824
For Sun ONE Directory Server 5.2: http://docs.sun.com/source/816-6698-10/ssl.html#14365
For Novell eDirectory 8.7.3:
http://www.novell.com/documentation/edir873/index.html?treetitl.html
Task B Configure the JRE Keystores
Next, you must import the CA trust certificate (the signing certificate of your LDAP server certificate) into the keystores of all JREs that are used by software or applications that perform user authentication. This includes JREs for all primary and secondary servers, as well as for BusinessWorks processes that perform basic authentication. The best thing to do is to perform this task on all TIBCO JREs in all server and client machines in your administration domain.
Follow the instructions below to import the CA trust certificate of LDAP server certificate into each applicable JRE keystore:
1.
In the command prompt, change to TIBCO_HOME/tibcojre/version/bin.
2.
keytool -import -alias alias_name-keystore
TIBCO_HOME/tibcojre/version/lib/security/cacerts
-trustcacerts -file CA_trust_certificate_file_path
3.
When prompted, type changeit for the keystore password (unless you have changed it previously).
Task C Enable SSL for LDAP in TIBCO Domain Utility
Follow the instructions in Changing a Domain’s Integration With an LDAP Directory Server to modify LDAP configuration for your administration domain in TIBCO Domain Utility.
Select SSL in the LDAP Authentication drop-down list.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved