Configuring LDAP Integration With SSL Connections

You can use SSL to secure the user and group data transmitted to your TIBCO servers and applications from the LDAP directory server. Doing so ensures privacy, integrity, and authenticity of data from the LDAP directory server.

TIBCO Domain Utility specifies SSL usage for the LDAP integration of an administration domain. Once SSL is specified for a domain’s LDAP integration, the administration servers and applications depend on the security features of the JVM they run on in order to establish SSL connections with the LDAP server (and do not actively participate in establishing the SSL connections).

To configure an administration domain to connect to the LDAP directory server over SSL, you must do the following:

•	Task A, Enable SSL on the LDAP Directory Server

•	Task B, Configure the JRE Keystores

•	Task C, Enable SSL for LDAP in TIBCO Domain Utility

Task A Enable SSL on the LDAP Directory Server

You must first enable SSL authentication on the LDAP directory server with which the administration domain is integrated. You may need to contact your IT department in your organization that manages your LDAP servers. This requires installing a valid server certificate and CA trust certificate from a certificate authority on the LDAP directory server. Go to one of the following links for information on enabling SSL on your LDAP directory server:

For Microsoft Active Directory 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;247078#1

For Microsoft Active Directory 2003:
http://support.microsoft.com/kb/321051

For Sun ONE Directory Server 5.1:
http://docs.sun.com/source/816-5606-10/ssl.htm#996824

For Sun ONE Directory Server 5.2: http://docs.sun.com/source/816-6698-10/ssl.html#14365

For Novell eDirectory 8.7.3:
http://www.novell.com/documentation/edir873/index.html?treetitl.html

Task B Configure the JRE Keystores

Next, you must import the CA trust certificate (the signing certificate of your LDAP server certificate) into the keystores of all JREs that are used by software or applications that perform user authentication. This includes JREs for all primary and secondary servers, as well as for BusinessWorks processes that perform basic authentication. The best thing to do is to perform this task on all TIBCO JREs in all server and client machines in your administration domain.


	TIBCO JRE keystores already contain certificates from well-known certificate authorities such as Verisign, Thawte and Entrust. You can skip this task if your LDAP server certificate is issued by one of these well-known certificate authorities.

Follow the instructions below to import the CA trust certificate of LDAP server certificate into each applicable JRE keystore:

1.	In the command prompt, change to TIBCO_HOME/jre/version/bin.

2.	Use the following command to import the CA trust certificate into the default JRE keystore. (You may specify any value for alias_name.)

keytool -import -alias alias_name -keystore TIBCO_HOME/jre/version/lib/security/cacerts -trustcacerts -file CA_trust_certificate_file_path

3.	When prompted, type changeit for the keystore password (unless you have changed it previously).

Task C Enable SSL for LDAP in TIBCO Domain Utility

Follow the instructions in Changing a Domain’s Integration With an LDAP Directory Server to modify LDAP configuration for your administration domain in TIBCO Domain Utility.

•	Specify the LDAP server’s enabled SSL port in the LDAP URL field.

•	Select SSL in the LDAP Authentication drop-down list.