Securing the LDAP Connection

1.2.4 Securing the LDAP Connection

All connections from MWS to the LDAP server should be secured with SSL or StartTLS to ensure passwords and other sensitive information are encrypted as they pass to and from the LDAP server. If the LDAP server does not support SSL or StartTLS, the rest of this section is irrelevant.

In this topic:

1.2.4.A Determine Whether the LDAP Server's Certificate is Trusted
1.2.4.B Configure MWS to Connect to LDAP Server Using SSL or StartTLS

1.2.4.A Determine Whether the LDAP Server's Certificate is Trusted

If the LDAP server's X.509 certificate has been signed by a trusted certificate authority such as Verisign, Thawte, GeoTrust, and so on, Java will trust the certificate automatically and you won't need to add the certificate to Java's keystore. Consult your IT department to determine whether the LDAP server certificate has been signed by a trusted certificate authority. If the LDAP server certificate is signed by a trusted certificate authority, skip ahead to the next section Configure MWS to Connect to LDAP Server Using SSL or StartTLS. Otherwise, follow the instructions in 'Trusting Servers in Java' in the Moab HPC Suite Installation and Configuration Guide to add the certificate to Java's keystore.

1.2.4.B Configure MWS to Connect to LDAP Server Using SSL or StartTLS

This section shows how to encrypt client connections to MWS using Tomcat and SSL but without requiring the use of Apache. These instructions have been tested on CentOS with Tomcat 6.0.

SSL/TLS

To configure MWS to connect to LDAP using SSL/TLS

Update the ldap.port and ldap.security.type parameters in /opt/mws/etc/mws-config.groovy:
```
ldap.port = 636
ldap.security.type = "SSL"
```

StartTLS

To configure MWS to connect to LDAP using StartTLS

Update the ldap.port and ldap.security.type parameters in /opt/mws/etc/mws-config.groovy:
```
ldap.port = 389
ldap.security.type = "StartTLS"
```

The table below lists the possible values for ldap.security.type:

ldap.security.type	Default Port	Notes
None	389	This is the default if no security type is configured. All data is sent in plain text.
SSL	636	Requires server certificate. All data is encrypted.
StartTLS	389	Starts as an insecure connection and is upgraded to an SSL/TLS connection. Requires server certificate. After upgrade all data is encrypted.