How do I configure SSL functionality within CA Directory r12.0 SP2?
search cancel

How do I configure SSL functionality within CA Directory r12.0 SP2?


Article ID: 53022


Updated On:


CA Directory CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting



One of the new features of r12.0SP2 is the integration of the SSL features into the DSA itself. The SSL Daemon is no longer part of the product. This technica document explains how to configure a CA Directory r12.0 SP2 DSA to use SSL.


As of r12.0SP2, the SSL Daemon is no longer a separate process from the DSA. The DSA now incorporates the SSL Daemon's functionality. To aid in this transition, the SSLD configuration parameters are now defined as a DSA configuration command.

In r12.0SP1, the common SSLD installation command looked like:

ssld install {ssld-instance-name} -ca config/ssld/trusted.pem -certfiles config/ssld/personalities

In r12.0 SP2, the DSA configuration command uses exactly the same parameters, but the syntax is different. The DSA configuration command for the SSL feature has the following syntax:

set ssl = {  
    cert-dir = "config/ssld/personalities"    # folder containing DSA personality certs   
    ca-file = "config/ssld/trusted.pem"           # trusted root CA that signed DSA certificates   
    cipher = "ALL:!EXPORT40:!ADH"                  # supported ciphers - syntax on OpenSSL website   
    protocol = tls                           # enable TLS only (default of fips set)   
    fips = true                                # enables FIPS 104-2 compliant encryption   
    # HSM options   
    lib = "<string> "                          # path to PKCS11 library supplied by HSM vendor   
    pin = "<string>"                         # HSM pin   
    slot = <num>                                # slot to use for HSM based encryption  

An example implementation of this new configuration using the Democorp DSA sample:

  • Prior to configuring SSL for any DSA, the DSA's have to be created and the relevant PEM certificates and trusted root CA's must be stored in their relevant files and folders. Running the command "dxcertgen certs" will automatically create a PEM certificate for each DSA present on the system and add the root CA signing certificate into the trusted.pem file for you.
    >dxcertgen certs 
      Setting root certificate and public/private keys for signing... 
       Exporting certificate 'dxcertgen' from 
       C:\Program Files\CA\Directory\dxserver\config\ssld\javakeystores\cacerts...  
     Writing root certificate to trusted.pem... 
     Generating DXserver personalities from server files... 
     Generating a new personality certificate for democorp... 
     Generating a 1024-bit RSA public/private key pair... 
     Generating an x509 v3 certificate... 
     Signing certificate with trusted root CA's private key... 
     Writing personality certificate to  
     C:\Program Files\CA\Directory\dxserver\config\ssld\personalities\democorp.pem... 
  • The SSL DSA configuration should be stored in a DXC configuration file in the DXHOME/config/ssld folder.

    Example: DXHOME/config/ssld/Democorp-SSL.dxc
    set ssl = { 
       cert-dir = "config/ssld/personalities" 
       ca-file = "config/ssld/trusted.pem"  
  • The Democorp DSAs initialization file in DXHOME/config/servers needs to source the Democorp-SSL.dxc file.
    # access controls 
    clear access;
    source "../access/default.dxc"; 
    # ssl
    source "../ssld/Democorp-SSL.dxc"; 
    # replication agreements (rarely used)
    # source "../replication/";
  • Stop and start your Democorp DSA.
    >dxserver stop democorp 
      democorp stopping 
     democorp stopped 
     >dxserver start democorp 
      democorp starting 
     democorp started 
  • Bind to your democorp DSA using an SSL connection.

    <Please see attached file for image>

    Figure 1

    The bind process will produce the following certificate validation warning:

    <Please see attached file for image>

    Figure 2

    Accept the connection and you will see the bind complete.

  • Tracing the Democorp DSA with "set trace=dsa;" trace level, you will see all communications.
    <- #0 (SSL) LDAP SEARCH-REQ          # This is an inbound LDAP application search using SSL 
          invoke-id = 6 credit = 4 
     Base object: 
            <countryName utf8 "au"> 
            <organizationName utf8 "democorp"> 
     Don't Search Aliases 
     -> #0 (SSL) LDAP SEARCH-CONFIRM            # This is an outbound search response from the DSA 
             invoke-id = 6 credit = 1 
       Entry: 1 
               <countryName "au"> 
               <organizationName "democorp"> 
       Contents: (none)


Component: ETRDIR


1558721213231000053022_sktwi1f5rjvs16vy6.gif get_app
1558721210520000053022_sktwi1f5rjvs16vy5.gif get_app