Christian, I subscribed to both general and tech, so... But I understand it is better to move the thread to dspace-tech, so I follow-up here.
>> I would like to configure DSpace to authenticate against LDAP, but I >> want to use encrypted ldaps. >> >> The certificate and CA I am using are self-signed, so where should I >> configure these (CERT and CA) for DSpace to work? > > Hiltons answer contains the essential information I guess, but I feel it is > not that obvious what exactly is important. > > The first answer is, well it depends on the server setup you > use. There are many different SSL libraries out there and since last > years big breaks in OpenSSL even more of them arise. Each server > software has a default configuration that decides which library to > use. > > Then, these default configurations might differ for the same server > software depending on the (linux/BSD) distribution you run because of > the policies of this particular distribution. Distribution policies > might contain decisions particularly regarding the preferred SSL > Library, because SSL is such an important building block for basic > system security. I am not sue that we have any choice on the SSL library used by Java? That was the default installation on FreeBSD 9, I did not try to be clever on that one :) > If you run tomcat or jetty behind apache, then apache is the place > where to search. Well, this is true for port 443, but which port is > LDAP using for secure communication? 636 > Maybe that tomcat (supposed this is your container) uses OpenLDAP for > requesting authentication from your central LDAP Server. Then you have > to find out which SSL Library OpenLDAP uses. Apache uses OpenSSL as > default on many distributions. Tomcat uses the Java specific SSL > implementation JSSE as default but can be configured to use OpenSSL > instead. For reference, (on FreeBSD) and with openjdk 7, one needs to add the certificate authority to the cacerts keystore located in [openjdk]/jre/lib/security/cacerts This is done with the command: keytool -importcert -keystore [openjdk]/jre/lib/security/cacerts \ -trustcacerts -alias "name or comment" -storepass changeit \ -file <filename of the CS file> And yes, the password is "changeit". > > When I finally configured our server to use SSL for login (years too > late actually) I had to learn a lot about SSL and I was surprised how > little documentation there was. Culprit me, I did not document my > solution as well. I run Tomcat without Apache in front of it and I > decided to stay with JSSE because OpenSSL was seen as a bad solution > then. JSSE is a rather basic implementation I guess, but is probably > not under attack the way OpenSSL is currently. The official > documentation for JSSE configuration is deceiving, particularly when > it comes to creating the keystore. Note that I am not talking about > communication between your Servlet container and the authenticating > LDAP server though, but only about login to DSpace. I have put DSpace behind Apache, so the encryption of HTTP is solved :) > If it turns out that JSSE via BIO in Tomcat is your way to go and you > run into trouble with that, please ask and I will look up, who I > solved the issues in my instance. Thank you. As mentionned above, I managed to find how to include my CA in the CA accepted/known by Java, so that part is running now. Next questions will be flying tomorrow :) Best regards, Olivier > > Bye, Christian > > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > DSpace-tech mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/dspace-tech > List Etiquette: > https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette > -- ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
