Steps for setting up LDAP over SSL for Policy Server connection to Sun One LDAP 5.2.
Article ID: 54194
CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
Objective is to describe steps for setting up LDAPS (LDAP over SSL) Policy Server connection to Sun One LDAP 5.2.
Create a Certificate Signing Request (CSR) using the Sun One LDAP Server's "Manage Certificates" Task for the Directory Server intended to be used with Policy Server over LDAPS.
Use the CSR to generate a Server Certificate for Sun One using a Certificate Authority (like VeriSign or local CA servers like Microsoft's or Netscape's Certificate Server).
To use the Microsoft's CA (under Administrative Tools) point the browser to http://localhost/certificateserver
Install the generated certificate into the Sun One Server using the same task of "Manage Certificates"
Download the Root CA cert by pointing to the same certificate server through the browser and save it in a location on your file system like "C:\Certs".
Use certutil.exe version that would create a cert7.db file. Sun One 5.2 comes with certutil.exe under the directory "Sun\MPS\shared\bin". This utility can be used to create a cert7.db file or one of the older version of NSS ( Network Security Services) can be used as well. The newer versions create cert8.db file.
Create an empty certificate database (cert7.db and key3.db pair of files):
Import the Root CA Cert into the cert7.db: certutil.exe -A -n sm-ldaps-rootca-cert -t P -d C:\certs -i C:\certs\cms_CA_Root_Cert.cer
Test the cert7.db to connect to the Sun One Server over LDAPS using ldapsearch tool:
ldapsearch -p <SSL port number> -Z -P <absolute path to cert7.db file> -b <basedn for search> -s base <filter>
e.g. C:\Documents and Settings\Administrator>ldapsearch -p 636 -Z -P "C:\certs\cert7. db" -b "dc=ca,dc=com" -s base "(objectClass=*)" version: 1 dn: dc=ca,dc=com objectClass: top objectClass: domain dc: ca
With the success of the ldapsearch, the cert7.db is ready to be used with Policy Server to Sun One LDAP connection. Open the Policy Server Management console and go to the "Data" tab. Specify the absolute path to this cert7.db file for the "Netscape Certificate Database File".
Go to the User Directory properties in the Policy Server admin GUI and configure and test the User Directory object for SSL connection. This would include specifying the SSL port and checking the "Use Secure Connection" on the "Credentials and Connections" tab.