Enabling SSL on Novell ECMAscript LDAP Queries

Enabling an existing open LDAP connection to use SSL is a simple process with a few code modifications and certificate creation procedures.

Example of unsecure LDAP connection:

var lc = new LDAPConnection();

lc.connect( host, port );

lc.bind( LDAPConnection.LDAP_V3, user, new java.lang.String(password).getBytes(“UTF8”) );

  

Example of SSL LDAP connection:

System.setProperty(“javax.net.ssl.trustStore”, “/opt/novell/eDirectory/lib64/nds-modules/jre1.6.0_20/lib/security/cacerts”);

System.setProperty(“javax.net.ssl.trustStorePassword”, “changeit”);

var ssf = new LDAPJSSESecureSocketFactory();

var lc = new LDAPConnection(ssf);

lc.connect( host, port );

lc.bind( LDAPConnection.LDAP_V3, user, new java.lang.String(password).getBytes(“UTF8”) );

 

 

Step by Step: (text in red needs to be modified by the user to fit their environment)

The following sets the location of the Trust Store that is located on the Novell IDM machine. If the path below does not exist in your environment search for (Linux: “find / -name cacerts”):

System.setProperty(“javax.net.ssl.trustStore”, “/opt/novell/eDirectory/lib64/nds-modules/jre1.6.0_20/lib/security/cacerts);

The following sets the Trust Store password. The default password for exported certificates is “changeit”. I will explain later in the article how to export and import the needed certificates:

System.setProperty(“javax.net.ssl.trustStorePassword”, changeit);

The following defines the Socket Factory that creates the Secure Socket Connection:

var ssf = new LDAPJSSESecureSocketFactory();

The following defines the LDAP Connection and directs it to use the Secure Socket Factory:

var lc = new LDAPConnection(ssf);

 

Note:

After modifying your code ensure that you are using port 636 for your connection. Using port 389 will not work.

 

Exporting Certificate through iManager:

After logging into iManager:

    1. Click on “Roles and Tasks”
    2. Click on “Directory Administration”
    3. Click on “Modify Object”
    4. Search for the “<Tree Name> CA” object
    5. Click “OK”
    6. Click on the “Certificates” tab
    7. Check the “Self Signed Certificate” box
    8. Click “Validate”
    9. Check the “Self Signed Certificate” box
    10. Click “Export”
    11. Uncheck “Export Private Key”
    12. Select “Export Format” DER
    13. Click “Next”
    14. Click on “Save the exported certificate”

 

Importing Certificate (Linux): (text in red needs to be modified by the user to fit their environment)

    1. Copy the Certificate created above into the /tmp folder.
    2. Locate the java keytool (find / -name keytool)
    3. Enter the following command to import the certificate into the cacerts store: ./<keytool path>keytool –import –file </tmp/cert.der: Location of exported der file> -keystore <Location of cacerts store, same location as trustStore found in above steps>
    4. Click “Enter” After execution you will see the Certificate being placed in the cacerts store.  Take note of the Certificate Expiration Date.
    5. Restart eDirectory

 

After modifying your code and exporting/importing the correct certificates you LDAP connection will now be using SSL.  To take a look at the differences in the connection and for any troubleshooting refer to the “ndstrace.log” file (Link to using ndstrace is below).

 

An example SSL connection script:

http://www.novell.com/documentation/developer/samplecode/jldap_sample/security/SSLConnection.java.html

Exporting Certificates (Method 2 iManager): http://www.novell.com/support/kb/doc.php?id=3176104

Importing Certificates: http://www.novell.com/support/kb/doc.php?id=7006793

Using ndstrace: http://www.novell.com/support/kb/doc.php?id=7002672

 

Questions, comments or concerns? Feel free to reach out to us below or at IDMWORKS