Configuring LDAPS
In an LDAP environment, where the Spotfire system communicates with an LDAP directory server, administrators often secure the LDAP protocol using TLS, if the LDAP directory supports this.
Before you begin
- The LDAP directory server has been set up to communicate using TLS.
About this task
Select one of the following three alternatives for configuring LDAPS certificates.
Alternative 1: Commercial certificates
If you are using commercial certificates, then Java most likely trusts them already and you do not need any further configuration.
Alternative 2: Self-signed certificates stored in tomcat/certs (preferred when using self-signed certificates)
If you are using self-signed certificates with Spotfire Server, each certificate can have its own keystore file to handle trust for the SSL/TLS communication. In this alternative, the keystore files are stored in the tomcat/certs directory (of each computer in the cluster), where they are automatically copied and kept during server upgrades (Alternative 2).
All certificates used for LDAPS in the
tomcat/certs directory must have the same password. The standard password for the Java
cacert file can still be the default (changeit) but if you change the password, it should be the same one as used for the trust files in
tomcat/certs. To a password other than changeit, add the additional Java startup parameter
javax.net.ssl.trustStorePassword
either to the start script or to the service. See
"Virtual memory modification".
For each certificate that is to be trusted, go to the directory <installation dir>/tomcat/certs and add a .jks file. This must be done on every Spotfire Server in the cluster. Name the files with a descriptive name.
Alternative 3: Self-signed certificates stored in the default Java trust store
The default keystore provided by Java is located in <installation dir>/jdk/lib/security/cacerts. The default password for the included trust files is changeit . You can modify this file with additional certificates.
To add certificates to the Java trust store: