Using LDAPs

To use TLS/SSL encrypted communication between Panopticon Real Time and the LDAP directory, we need to make the following changes in configuration:

Change the protocol in the LDAP URL to ldaps
Change the port in the LDAP URL to an SSL enabled port, typically 636
If the LDAP directory is configured with a self-signed certificate; the certificate needs to be imported into a TrustStore.

See an example of a Tomcat Realm using LDAPS below:

There are two options for trusting a self-signed LDAP certificate:

Import the certificate into the JVM TrustStore
The JVM TrustStore is located at JAVA_HOME/lib/security/cacerts. Use the command below to add a new trusted certificate to the TrustStore:

keytool -import -alias ldap -keystore cacerts -trustcacerts -file ldap.crt -noprompt -storepass changeit
Create an application TrustStore
1. Import the chain certificate:
  keytool -import -alias ldap -keystore ldaptruststore.jks -file ldap.crt -noprompt -storepass changeit
2. Import the LDAP server certificate:
  keytool -import -alias ldap -keystore ldaptruststore.jks -file ldap.crt -noprompt -storepass changeit
3. Check the TrustStore.
  keytool -list -keystore ldaptruststore.jks -storepass changeit
4. Configure Tomcat to use the new TrustStore by editing setenv.bat/.sh:
  - setenv.bat (Windows)
    set JAVA_OPTS=%JAVA_OPTS% "-Djavax.net.ssl.trustStore=[path to ldaptruststore.jks]" "-Djavax.net.ssl.trustStorePassword=changeit"
  - setenv.sh (Linux)
    export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=[path to ldaptruststore.jks]-Djavax.net.ssl.trustStorePassword=changeit”
  With either approach, Tomcat need to be restarted for the changes to have effect.