OpenAM: Connecting to OpenDJ over SSL

OpenAM Community Logo You can easily connect OpenAM to an external OpenDJ directory server. The key to connecting securely from OpenAM to OpenDJ using LDAP over SSL (LDAPS) is making sure the OpenDJ certificate is recognized on the OpenAM side.

OpenDJ Community LogoWhen you install OpenDJ, you can choose to enable LDAP secure access. By default OpenDJ generates a self-signed certificate used that to protect communications. The big advantage is that you do not need to get a certificate signed by a certificate authority just to try LDAP secure access. The big disadvantage is that no other applications recognize the self-signed certificate as a valid certificate because no recognized certificate authority has signed it. In order for the self-signed certificate to be recognized on the OpenAM side, you must take some additional steps.

(Dave Koelmeyer already wrote up how to do this with GlassFish when he explained how to enable secure LDAP container based authentication with JSPWiki. Let me reiterate here in the context of OpenAM running in Apache Tomcat.)

Export the OpenDJ self-signed certificate with alias server-cert to a file.

$ cd /path/to/OpenDJ/config
$ keytool -export -alias "server-cert" \
 -keystore keystore -storepass `cat keystore.pin` \
 -file /tmp/server-cert.cer
Certificate stored in file </tmp/server-cert.cer>

Import the OpenDJ self-signed certificate into the trust store used by the container where OpenAM runs. In the case of Apache Tomcat, for example, you can create a trust store and update the JAVA_OPTS for Tomcat to tell it to use the trust store.

Set up the trust store by importing the OpenDJ self-signed certificate.

$ cd /path/to/tomcat/conf
$ keytool -import -v -trustcacerts -alias "server-cert" \
 -keystore truststore -keypass changeit \
 -file /tmp/server-cert.cer
Enter keystore password: 
Re-enter new password:
Owner: CN=laptop.example.com, O=OpenDJ Self-Signed Certificate
Issuer: CN=laptop.example.com, O=OpenDJ Self-Signed Certificate
Serial number: 5023849b
Valid from: Thu Aug 09 11:36:27 CEST 2012 until: Sat Aug 09 11:36:27 CEST 2014
Certificate fingerprints:
      MD5:  00:A4:AA:86:2F:59:96:95:71:6B:43:C4:8D:72:8A:B8
      SHA1: D1:F5:D9:D6:0F:FB:61:2D:32:F5:0C:40:0C:D6:BC:4F:12:6A:16:D6
      Signature algorithm name: SHA1withRSA
      Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing truststore]

Edit the Tomcat environment to make Tomcat use the trust store. The JAVA_OPTS value should all be on one line in your version.

$ cd /path/to/tomcat/bin
$ vi catalina.sh
$ grep ^JAVA_OPTS catalina.sh
JAVA_OPTS="-Xmx1024m -XX:MaxPermSize=256m
 -Djavax.net.ssl.trustStore=/path/to/tomcat/conf/truststore
 -Djavax.net.ssl.trustStorePassword=changeit"

When you are ready to deploy into production, you might want to avoid the hassle by using CA-signed certificates. The method shown here is cheaper and easier when you’re only using a couple of servers on your laptop or in your lab, and you might be throwing everything away and starting over often.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s