Configuring an LDAP SSL Connection

aPriori recommends that for security, any production environment LDAP installation be configured to use SSL (Secure Sockets Layer).

Note: For simplicity, we use the term “SSL” to refer to both SSL and TLS (Transport Layer Security). Over the past several years, TLS has replaced SSL, but many people are still more familiar with the term SSL.

LDAP server and general SSL configuration is beyond the scope of this documentation and must be set up by your IT department. However, once an SSL LDAP server is configured, you must configure your aPriori installation to be able to communicate with it.

This consists of adding the certificate of the issuing CA (Certificate Authority) for your certificate into the Java ‘cacerts’ keystore included with Java as part of your aPriori installation. The ‘cacerts’ file is a list of Certificate Authorities (CAs) trusted by Java. When establishing a connection using an SSL certificate, Java must be able to find a path from one of the trusted roots to your certificate. If there is no path found, Java will not establish the SSL connection. Get a copy of the root CA certificate (and if applicable, Intermediate) that issued the SSL certificate used by your LDAP server from your IT department to add to the aPriori SSL keystore. This might be named almost anything but should be similar to “certificate.crt” or “certificate.cer”. These instructions assume the certificate is in PEM format (You may also see this called a BASE64 encoded X.509 certificate).

If you open your certificate file in a text editor, it should look like this if it is in PEM format:

-----BEGIN CERTIFICATE-----

MIIDmzCCAoOgAwIBAgIJANlzcMphFdASMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV

... <many more lines that look similar to the above> ...

pcCZfoaYop2djiciry7C

-----END CERTIFICATE-----

1 Place this file in a known location so the command line later in this procedure can find it.

5 Bring up a command window and navigate to:

<apriori_install>\WIN64\jdk\bin

6 Enter the following command:

keytool -importcert -file <certificatepath>\<certificatename> –alias <aliasname> 
-keystore <truststore> -storepass <password> -trustcacerts –noprompt

where:

<certificatepath>\<certificatename> – are the location and the file name of the certificate you copied in Step 1. For example, c:\temp\server3_cert.crt.

<aliasname> – is an arbitrary, unique name you assign to this certificate to identify it in the store. For example, yourdomain_server3.

<truststore> – is the truststore in your aPriori installation:

<apriori_install>\WIN64\JDK\jre\lib\security\cacerts

<password> – is the password for your keystore. The default is “changeit”. Hopefully, you or your IT department already has.

Assuming that the command executes with no errors, restart aPriori and test that LDAP connections using an SSL port works. If it does not, examine the aPriori log file for messages that can help you troubleshoot any problems.

Note: If you receive an exception that contains the text “unable to find valid certification path to requested target”, this generally means that there is a trust issue. If your organization has an internal Public Key Infrastructure (PKI), certificates issued by your internal Certificate Authority (CA) will not automatically be trusted by Java. Even if you use a third-party CA, it may not always be included with Java. Either way, the steps for adding the certificates are the same. Most CAs provide you with the CA public root and any intermediate certificates when issuing your certificate.