A quick follow up on my post here. I will describe below the steps needed to enable secure LDAP authentication (both LDAPS and HTTPS). This is not intended for production use, obviously.
I’m using the same platform and environment described here, and also using this as the starting point for the following.
Verify that the LDAPS connection handler is enabled in OpenDJ
This can be checked using the OpenDJ Control Panel GUI, and modified if necessary using the CLI dsconfig utility.
Switch to the secure LDAP port in the GlassFish JSPWiki security realm
Make sure you are using the ldaps:// URL prefix, and specify the secure port number (1636 in this example):
Enable security for the relevant GlassFish HTTP network listener port
Our JSPWiki application is listening over port 8080, configured in GlassFish under http-listener-1. Enable security for this port:
Enable HTTPS connections to JSPWiki
This is performed via modification of the JSPWiki web.xml file. In a default state, the web.xml file contains the following entries which enable the use of SSL connections:
Ensure these exist in web.xml under the container managed authentication section.
Export the OpenDJ SSL certificate and import it into the JSPWiki JKS keystore
The keytool CLI utility is used for this step.
First, we export the OpenDJ certificate (which has a default alias of server-cert) to a file:
dave@mymachine:~/OpenDJ/config$ pfexec keytool -export -alias "server-cert" -keystore ~/OpenDJ/config/keystore -file /tmp/server-cert.cer
Enter keystore password:
Certificate stored in file </tmp/server-cert.cer>
Next, we import the certificate file into the keystore of the GlassFish domain running our instance of JSPWiki, which in this example is at /opt/glassfishv3/glassfish/domains/domain1/config/cacerts.jks:
dave@mymachine:~/OpenDJ/config$ pfexec keytool -import -v -trustcacerts -alias "server-cert" -keystore /opt/glassfishv3/glassfish/domains/domain1/config/cacerts.jks -file /tmp/server-cert.cer
Enter keystore password:
Owner: CN=mymachine, O=OpenDS Self-Signed Certificate
Issuer: CN=mymachine, O=OpenDS Self-Signed Certificate
Signature algorithm name: SHA1withRSA
Trust this certificate? [no]: yes
Certificate was added to keystore
Modify the jspwiki.baseURL value
This is required as the URL prefix will have changed from http:// to https://. This modification is performed in the jspwiki.properties file.
Assuming my existing jspwiki.baseURL value is:
This would need to be changed to:
Restart the GlassFish domain, and test LDAP logins…
…and if you don’t observe secure logins working as they should, leave a comment.