Configuring Secure LDAP
Configuring the SLM On-premise license server to communicate securely with an LDAP server using LDAPS (LDAP over SSL) requires manual configuration. To configure LDAPS, install and configure the license server for regular LDAP access. Use the ldaps:// protocol when specifying the server address to enable LDAPS.
Important
Depending on the LDAP server SSL certificates, this configuration may be enough to establish the connection. However, organizations often generate their own SSL certificates signed by their own Certificate Authority (CA) certificate. Unless additional measures are taken, these certificates may not be trusted, so the license server will still not connect to the LDAP server.
To establish trust, do the following:
Import the public key, either the Certificate Authority or the public key of the LDAP server as a trusted certificate to license the server’s keystore file.
Get the certificate file from your LDAP or network administrator.
Create a new keystore file in the SLM server root directory, and note the path you selected earlier.
$JAVA_HOME/bin/keytool-genkey-keyalg RSA-keystore slmkeystore.jks-keysize 2048
Use Java’s keytool utility to import the ldap server's certificate to the license server’s keystore file. You can find the keytool utility in the following $JAVA_HOME/bin directory:
For more information on command-line arguments of the keytool utility, see keytool documentation.
$JAVA_HOME/bin/keytool-importcert-alias ldapserver-keystore<collab-keystore-path>-trustcacerts-file <path-to-chain-certificate-file>
Important
You will be prompted to confirm the validity of the certificate. Verifying that the key matches the trusted material is essential for the security of the overall system. Before accepting the certificate, you should contact the administrator who sent you the certificates and verify that the certificate fingerprints you see match the fingerprints they intended to send you.
To configure the license server to use the Keystore, open the <SLM License Server Install Path>/bin/slm_service.vmoptions file in a text editor and add the following properties:
-Djavax.net.ssl.trustStore=<slm-keystore-path> -Djavax.net.ssl.trustStorePassword=<slm-keystore-password>
Restart the license server server.
Note
Upon restart, the license server service should connect to the LDAP server via SSL. If you still get errors, check that the other LDAP configuration options have been configured correctly. If you are using Active Directory, it is now worth revisiting the Active Directory configuration above.
Add the following line to the slm_service to troubleshoot SSL connections. vmoptions file will enable the Java network to debug logging:
-Djavax.net.debug=all
Upon restarting the license server, this information will be written to <SLM License Server Install Path>/output.log. If you need additional assistance on the log details, contact the SmartBear Customer Support team.
Important
Do not run in a production environment with network debug logging enabled. This will severely impact the performance of the system and will also consume vast quantities of disk space.