Securing communications with an LDAP server

You can configure Transport Layer Security (TLS) to encrypt communications between the SafeLinx Server and an LDAP server.

To support a TLS connection with an LDAP server, you must store the LDAP server's root signer certificate in a key database file on the SafeLinx Server. Use the GSKit to add the certificate to the SafeLinx key database. You can use an existing key database, such as the one that is used by HTTP access services (http.trusted.kdb), or you can create your own key database. After you save the signer certificate, use the SafeLinx Administrator to specify the names of the key database and stash password files in the directory service properties pages.

In some cases, you can use a web browser, such as Mozilla Firefox, to retrieve the signer certificate for the LDAP server. This method is documented in the procedure that follows. If the browser method is unsuccessful, ask the LDAP administrator to extract the certificate and return it to you in a certificate file in .der format.

  1. To use Mozilla Firefox to retrieve a signer certificate for the LDAP server, specify type the address of the LDAP server in the location bar, with an https prefix.
    For example, type:
    https://ldap.renovations.com
    The following message displays:

    This Connection is Untrusted.

  2. Click I Understand the Risks, and then click Add Exception...
    The certificate is saved automatically to the browser's Certificate Manager.
  3. Open the Firefox menu, click Options or Preferences, and then click Advanced.
  4. Click View Certificates, and then click the Servers tab.
  5. Click the certificate and then click Export...
  6. In the Save Certificate to File window, browse to the directory where you want to save the file, click X.509 Certificate (DER) (*.der) in the Save as type field, and then click Save.
    If the file name is not equal to the fully qualified host name of the server, rename the file.
    For example, save the file as ldap.renovations.com.der.
  7. Transfer a copy of the file to the SafeLinx Server.
To complete the TLS configuration, edit the directory service properties to enable the use of secure connections and to specify the key database and stash password files.