4.79 Securing the LDAP Connection

All connections from MWS to the LDAP server should be secured with SSL or StartTLS to ensure passwords and other sensitive information are encrypted as they pass to and from the LDAP server. If the LDAP server does not support SSL or StartTLS, the rest of this section is irrelevant.

4.79.0.A Determine Whether the LDAP Server's Certificate is Trusted

If the LDAP server's X.509 certificate has been signed by a trusted certificate authority such as Verisign, Thawte, GeoTrust, and so on, Java will trust the certificate automatically and you won't need to add the certificate to Java's keystore. Consult your IT department to determine whether the LDAP server certificate has been signed by a trusted certificate authority. If the LDAP server certificate is signed by a trusted certificate authority, skip ahead to Configure MWS to Connect to LDAP Cerver Using SSL or StartTLS. Otherwise, follow the instructions in Trusting Servers in Java to add the certificate to Java's keystore.

4.79.0.B Configure MWS to Connect to LDAP Cerver Using SSL or StartTLS

To configure MWS to connect to LDAP using SSL/TLS

  1. Update the ldap.port and ldap.security.type parameters in /opt/mws/etc/mws-config.groovy.

    ldap.port = 636
    ldap.security.type = "SSL"

To configure MWS to connect to LDAP using StartTLS

  1. Update the ldap.port and ldap.security.type parameters in /opt/mws/etc/mws-config.groovy.

    ldap.port = 389
    ldap.security.type = "StartTLS"
    

The table below lists the possible values for ldap.security.type:

ldap.security.type Default port Notes
None 389 This is the default if no security type is configured. All data is sent in plain text.
SSL 636 Requires server certificate. All data is encrypted.
StartTLS 389 Starts as an insecure connection and is upgraded to an SSL/TLS connection. Requires server certificate. After upgrade all data is encrypted.

© 2016 Adaptive Computing