Configuring LDAP with SSL (LDAPS)

Lightweight Directory Access Protocol (LDAP) is a lightweight, open-source application protocol that is used to access, authenticate, and manage directory services over TCP and IP protocols.

LDAPS is an upgraded LDAP that is more secure by allowing for the encryption of the LDAP data while it is being exchanged with the LDAP server. This helps prevent theft of user credentials, securing the connection between client and server, and makes LDAPS the accepted standard directory protocol in place of LDAP.

Prerequisites

  • LDAPS certificate: This can be downloaded from your LDAP provider management tool.

    • The certificate must be valid for Server Authentication. This means that it must also contain the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1

    • The subject name, or the first name in the Subject Alternative Name (SAN), must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject: CN=Nintexldaps

    • The host machine account must have access to the private key

  • User credentials for Nintex Aerobase/ Keycloak Authentication platform.

Configuring LDAP with SSL

If you are using LDAP integration, and you need to move to LDAPS, you need to secure LDAP over SSL.

To configure LDAP over SSL:

  1. Open the LDAP Management tool.

  2. Make sure the server URL begins with LDAPS and set the Use SSL to True.

  3. Login to the Aerobase console or Keycloak Admin.

  4. Go to Identity Provider (under Configure on the left pane).

  5. To configure the LDAPS provider, you have these options:

    1. Import the LDAPS provider metadata via URL.

    2. Import LDAPS provider metadata via an XML file.

    3. Modify the current LDAP configuration to use LDAPS.

  6. Change the Connection URL to your SSL URL.

      7. The link will probably be the same, but with the addition of an at the end (e.g ldaps://ldap-Kryon-pd.io.com).

  7. Set Enable StartTLS to ON

    8. If tested, the connection with LDAPS should now be successful.

      If you are not using an SSL certificate that is signed by an authority trusted by Java, you need to continue to step 9. The use of a trusted certificate is preferred and recommended because using an untrusted certificate, such as a self-signed certificate, will cause web services communication to fail with the SSLHandshakeException error.

  8. Import the LDAP Certificate to the JRE KeyStore.

Import the LDAP Certificate

To ensure a successful authentication, you need to import the LDAP certificate to the JRE KeyStore using the Keytool command.

The certificate that is added to the KeyStore has to be the CA/root CA of the certification chain used on the Domain Controller.

To import the LDAP certificate:

  1. Find the location of the Java Home path by searching for %Java_Home%.

  2. Copy and rename the default KeyStore cacerts file as jssecacerts.

    3. <Java_Home>/lib/security/cacerts to <Java_Home>/lib/security/jssecacerts

    Leave the original cacerts file as a backup. JSSE will use the jssecacerts file instead of the default cacerts file.

  3. Open CMD as an administrator.

  4. Import the certificate to the jssecacerts KeyStore using the following command:

    "C:\Nintex\IDP\Aerobase\Aerobase\embedded\openjdk\jre\bin\keytool" -importcert -file "C:\Users\LocalAdmin\Desktop\NintexCert.cer" -alias Nintex14-126.Nintexaws.com -keystore "C:\Nintex\IDP\Aerobase\Aerobase\embedded\openjdk\jre\lib\security\jssecacerts" -storepass changeit

    5. The certificate must be a valid X.509 (.CER) file.

    Always place the command in a notepad, as it needs to be run on a single line.

    The default syntax is:

    $JDK_HOME/bin/keytool -importcert -file $CERT -alias $ALIAS -keystore

    $JDK_HOME/lib/security/jssecacerts -storepass changeit

    • Replace $JDK_HOME with your actual JDK home path.

    • Replace $CERT with the path to your certificate that you previously installed in the system.

    • Replace $ALIAS with the preferred alias to be used in the KeyStore.

      change it is the default password for Java's cacerts file, check whether it has been changed on your system.

  5. The command output should match this:

  6. Trust this certificate message appears, type and press Enter.

  7. The certificate is imported:

  8. Restart all of the Aerobase services and complete the LDAPS Configuration.

The LDAPS connection can now be authenticated successfully.