Enabling LDAP over SSL (LDAPS)
ALM supports LDAP communication transfer over secure sockets (SSL). This ensures that users' credentials (passwords) are not sent over the network in an unsecured way.
This section describes the configuration steps needed to enable LDAP communication over SSL.
LDAP Server Configuration:
To use SSL for secure communication, the following must be preconfigured on the LDAP server:
- SSL must be enabled.
- A secure port must be set (the port is 636 by default).
A server certificate must be installed.
Also, you must obtain a root certificate (and any intermediate) of the Certificate Authority (CA) that issued the LDAP server certificate.
ALM Server Configuration:
The following must be pre-configured on the ALM server:
A certificate trust store.
In most cases, the default trust store is used. The default trust store is <JAVA_HOME>/jre/lib/security/cacerts (the default password is changeit), where <JAVA_HOME> is the installation location for the JDK that comes with ALM (for example, <ALM installation path>\java\jre).
To establish trust to the CA that issued the LDAP server certificate, import the root CA certificate into the java trust store using the keytool utility.
The keytool utility is located in the bin folder of the JAVA_HOME (for example, C:\Program Files\java\jre\bin).
For example, keytool -import -alias <your LDAP CA> -trustcacerts -file <LDAP CA cert> -keystore <JAVA_HOME>/jre/lib/security/cacerts
If there are any intermediate Certificate Authorities, import their certificates as well.
To define LDAP settings for SSL:
In Site Administration, click the Site Users tab.
Click the User Settings button and select Multi LDAP Settings. The LDAP Settings dialog box opens.
In the Directory provider URL box, type the URL of the LDAP server (
ldaps://<server name>:<port number>).
Note: The port must be enabled for SSL, as configured on the LDAP server. The default SSL port is 636.