-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John,
On 4/14/15 7:05 PM, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Yes, I'm only needed to configure LDAP over SSL. Okay. > I have not been able to find any information on certificate > directives for JNDI realm similar to httpd server.xml > "LDAPTrustedGlobalCert CA_BASE64 /.pem" and "LDAPTrustedMode SSL". Right: it appears no such options exist. They probably ought to exist. > Where are similar directives configured? - From my previous message: > you'll need to set the javax.net.ssl.trustStore system property to > point to your own trust store which contains the lowest > certificate you are willing to completely trust. You may choose to > trust the whole CA or maybe just the leaf certificate for the LDAP > server (which might be slightly more appropriate/safe for your > purpoases). Note that this will set the trustStore for everything in the JVM (except for Tomcat, which allows you to specify your own trustStore on a per-Connector basis), so you'd better be careful that you aren't affecting other components that use the JVM's global trustStore. Oracle's documentation for that system property says: " javax.net.ssl.trustStore This property is used to specify the location of the trust store. A trust store is a key store that is used when making decisions about which clients and servers can be trusted. The property takes a String value that specifies a valid trust store location. The default value is jssecacerts, if available, or cacerts. " So, basically, you create a trustStore (using keytool) that contains all of the certificates that you trust, and then you just make SSL connections and those servers which have been signed by the certs in the trustStore will be trusted. So, throw your PEM file(s) into a trustStore and point javax.net.ssl.trustStore at it and you should be good. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVLerHAAoJEBzwKT+lPKRYXRYQALqF3AQH+yxx3y5DVj3yKRUA WmLAOd+n+Bpip9VdHsiH0KJjrWkI3vlUVBDTaQF6E0JjE1XNfEPOsNidH3hs4PlA iq1ZcUDhqzAN1dXlU5LKJUd7hBS+gA3ETMQp2KzCJ0S/hk4yVrJwJTLXJ5/E2huV lLxg4jckhvxaM4DvrNVZUQvj6a4rxCUTaHu8+YL7vik6voHhtriKv8aO/6hCpUNz cCegj2e/g7RD8eLPGfJ6MBUtyBAzeK/i535wk/wFMZ+puC3MIBR1pH/iMpUkGqMM RHSPoVvVkow1PA1qziBNnD3bgW658oyMFNY+jkxZOwDm2Mo4fpXh5hll6fMlPALF ZxvxQqsqsN0DaXNJcBadfFi1zw94w1kEYVY/ncHGhsta4qPcpdNYvSphA9uGlgGz FyXgFBAEJGPS738kB2qOwfkPJMwVyOQ+Y0n8ROuL4u57EcdVaki6FFFJRCPajSaX RCoRnXjmWJbnr2HnCN00PPwpGLt78a8qiArEazjbCDaLTqSlD2xp0X0H9Nf9MPhP r5FIRCjZrsVpULgs/HDFjpSc+Q4duahUTA7O1Q+Wo61KX5hIGU+vfBnid/ayn0my 5V4jko1m1SHYxPFy2THsbrm1zhx9rwbOYt9CwXMDFsrsr+Ry0jY5fe+s08WCHb7D xDVhjmxM+6ssZKnKzu/o =Hed1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
