A quick follow up on my post here. I will describe below the steps needed to enable secure LDAP authentication (both LDAPS and HTTPS). This is not intended for production use, obviously.
I’m using the same platform and environment described at http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authentication-with-jspwiki-glassfish-and-opendj/, and also using this as the starting point for the following.
Verify that the LDAPS connection handler is enabled in OpenDJ
This can be checked using the OpenDJ Control Panel GUI, and modified if necessary using the CLI dsconfig utility.
Switch to the secure LDAP port in the GlassFish JSPWiki security realm
Make sure you are using the ldaps:// URL prefix, and specify the secure port number (1636 in this example):
Enable security for the relevant GlassFish HTTP network listener port
Our JSPWiki application is listening over port 8080, configured in GlassFish under http-listener-1. Enable security for this port:
Enable HTTPS connections to JSPWiki
This is performed via modification of the JSPWiki web.xml file. In a default state, the web.xml file contains the following entries which enable the use of SSL connections:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
Ensure these exist in web.xml under the container managed authentication section.
Export the OpenDJ SSL private certificate and import it into the JSPWiki JKS keystore
The keytool CLI utility is used for this step.
First, we export the OpenDJ certificate (which has a default alias of server-cert) to a file:
dave@mymachine:~/OpenDJ/config$ pfexec keytool -export -alias "server-cert" -keystore ~/OpenDJ/config/keystore -file /tmp/server-cert.cer Enter keystore password: Certificate stored in file </tmp/server-cert.cer>
Next, we import the certificate file into the keystore of the GlassFish domain running our instance of JSPWiki, which in this example is at /opt/glassfishv3/glassfish/domains/domain1/config/cacerts.jks:
dave@mymachine:~/OpenDJ/config$ pfexec keytool -import -v -trustcacerts -alias "server-cert" -keystore /opt/glassfishv3/glassfish/domains/domain1/config/cacerts.jks -file /tmp/server-cert.cer Enter keystore password: Owner: CN=mymachine, O=OpenDS Self-Signed Certificate Issuer: CN=mymachine, O=OpenDS Self-Signed Certificate Serial number: Valid from: Certificate fingerprints: MD5: SHA1: Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore [Storing /opt/glassfishv3/glassfish/domains/domain1/config/cacerts.jks]
Modify the jspwiki.baseURL value
This is required as the URL prefix will have changed from http:// to https://. This modification is performed in the jspwiki.properties file.
Assuming my existing jspwiki.baseURL value is:
http://192.168.1.1:8080/ITProjects/
This would need to be changed to:
https://192.168.1.1:8080/ITProjects/
Restart the GlassFish domain, and test LDAP logins…
…and if you don’t observe secure logins working as they should, leave a comment.
Pingback: OpenAM: Connecting to OpenDJ over SSL | Margin Notes 2.0