Configuring For Ldaps

From FMR Knowledge Base
Jump to navigation Jump to search

To configure the FMR to communicate to a Security Authentication Service via LDAPS you may need to specify that the Java Runtime Environment (JRE) running your FMR has been configured correctly. It is necessary to ensure that certificates are trusted by your JRE. The following steps are recommended:

Ensuring your Endpoint is Communicating via LDAPS

It is highly recommended to ensure that your system has been configured to communicate via LDAPS. On a system that is accessible to your LDAPS system, try performing an ldapsearch:

 ldapsearch -H ldaps://<server>:<port> -x -b "<search base>" -D "<bind DN>" -w <password> "(objectClass=inetOrgPerson)" -d 1

For example if using the OpenLdap example server:

 ldapsearch -H ldaps://localhost:10636 -x -b "ou=people,dc=planetexpress,dc=com" -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(objectClass=inetOrgPerson)" -d 1

If this produces a successful result, returning objects from your LDAPS server, this means that the LDAPS system is accessible and has been configured correctly.

Obtaining the Certificate from LDAPS and Adding to JRE Truststore

Obtaining the certificate from your HTTPS can be achieved through OpenSSL. The actual steps will vary depending on your environment but the steps will generally be:

1. Obtain the certificate from the LDAPS system. Use:

   openssl s_client -connect <server host and port> -showcerts

2. Save the certificate section to a separate file

3. Add this certificate to your Java trust-store. This will depend on your system, but you will need a command like:

   keytool -importcert -file <certificate file> -alias <alias> -keystore C:\Java\jdk-1.8\jre\lib\security\cacerts

4. Restart the FMR


Disabling all Endpoint Identification

If Java / Tomcat is not trusting your certificates, one of the simplest ways to overcome this, it to specify to the JRE that all endpoint identification should be disabled. There is a Java Environment variable for doing this:

 -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

If you are using Apache Tomcat, you can add it to the setenv.bat / setenv.sh file like so:

 set "JAVA_OPTS=%JAVA_OPTS% -Xmx6G -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

This will allow Java to trust all certificates it receives without question.


Debugging

If you are still experiencing issues, it is recommended to start the FMR with an environment variable which provides debugging for SSL. This is:

 -Djavax.net.debug=ssl

This can be added to a setenv.bat / setenv.sh file in the usual manner:

 set "JAVA_OPTS=%JAVA_OPTS% -Xmx6G -Djavax.net.debug=ssl"

Restart the FMR and attempt to log on as a user from your LDAPS server. The Registry will now be producing significantly more information in its logging files which should help determine what the issue is.