You can easily connect OpenAM to an external OpenDJ directory server. The key to connecting securely from OpenAM to OpenDJ using LDAP over SSL (LDAPS) is making sure the OpenDJ certificate is recognized on the OpenAM side.
When you install OpenDJ, you can choose to enable LDAP secure access. By default OpenDJ generates a self-signed certificate used that to protect communications. The big advantage is that you do not need to get a certificate signed by a certificate authority just to try LDAP secure access. The big disadvantage is that no other applications recognize the self-signed certificate as a valid certificate because no recognized certificate authority has signed it. In order for the self-signed certificate to be recognized on the OpenAM side, you must take some additional steps.
(Dave Koelmeyer already wrote up how to do this with GlassFish when he explained how to enable secure LDAP container based authentication with JSPWiki. Let me reiterate here in the context of OpenAM running in Apache Tomcat.)
Export the OpenDJ self-signed certificate with alias
server-cert to a file.
$ cd /path/to/OpenDJ/config $ keytool -export -alias "server-cert" \ -keystore keystore -storepass `cat keystore.pin` \ -file /tmp/server-cert.cer Certificate stored in file </tmp/server-cert.cer>
Import the OpenDJ self-signed certificate into the trust store used by the container where OpenAM runs. In the case of Apache Tomcat, for example, you can create a trust store and update the
JAVA_OPTS for Tomcat to tell it to use the trust store.
Set up the trust store by importing the OpenDJ self-signed certificate.
$ cd /path/to/tomcat/conf $ keytool -import -v -trustcacerts -alias "server-cert" \ -keystore truststore -keypass changeit \ -file /tmp/server-cert.cer Enter keystore password: Re-enter new password: Owner: CN=laptop.example.com, O=OpenDJ Self-Signed Certificate Issuer: CN=laptop.example.com, O=OpenDJ Self-Signed Certificate Serial number: 5023849b Valid from: Thu Aug 09 11:36:27 CEST 2012 until: Sat Aug 09 11:36:27 CEST 2014 Certificate fingerprints: MD5: 00:A4:AA:86:2F:59:96:95:71:6B:43:C4:8D:72:8A:B8 SHA1: D1:F5:D9:D6:0F:FB:61:2D:32:F5:0C:40:0C:D6:BC:4F:12:6A:16:D6 Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore [Storing truststore]
Edit the Tomcat environment to make Tomcat use the trust store. The
JAVA_OPTS value should all be on one line in your version.
$ cd /path/to/tomcat/bin $ vi catalina.sh $ grep ^JAVA_OPTS catalina.sh JAVA_OPTS="-Xmx1024m -XX:MaxPermSize=256m -Djavax.net.ssl.trustStore=/path/to/tomcat/conf/truststore -Djavax.net.ssl.trustStorePassword=changeit"
When you are ready to deploy into production, you might want to avoid the hassle by using CA-signed certificates. The method shown here is cheaper and easier when you’re only using a couple of servers on your laptop or in your lab, and you might be throwing everything away and starting over often.