Description:

Objective is to describe steps for setting up LDAPS (LDAP over SSL) Policy Server connection to Sun One LDAP 5.2.

Solution:

1. Create a Certificate Signing Request (CSR) using the Sun One LDAP Server's "Manage Certificates" Task for the Directory Server intended to be used with Policy Server over LDAPS.
   
   
2. Use the CSR to generate a Server Certificate for Sun One using a Certificate Authority (like VeriSign or local CA servers like Microsoft's or Netscape's Certificate Server).
   
   
   1. To use the Microsoft's CA (under Administrative Tools) point the browser to
      http://localhost/certificateserver
      
      
3. Install the generated certificate into the Sun One Server using the same task of "Manage Certificates"
   
   
4. Download the Root CA cert by pointing to the same certificate server through the browser and save it in a location on your file system like "C:\Certs".
   
   
5. Use certutil.exe version that would create a cert7.db file. Sun One 5.2 comes with certutil.exe under the directory "Sun\MPS\shared\bin". This utility can be used to create a cert7.db file or one of the older version of NSS ( Network Security Services) can be used as well. The newer versions create cert8.db file.
   
   
   1. Create an empty certificate database (cert7.db and key3.db pair of files):
      
      certutil -N -d <cert7.db directory path>
      e.g.: certutil -N -d c:\certs
      
      
   2. Import the Root CA Cert into the cert7.db:
      certutil.exe -A -n sm-ldaps-rootca-cert -t P -d C:\certs -i C:\certs\cms_CA_Root_Cert.cer
      
      
6. Test the cert7.db to connect to the Sun One Server over LDAPS using ldapsearch tool:
   
   
   1. ldapsearch -p <SSL port number> -Z -P <absolute path to cert7.db file> -b <basedn for search> -s base <filter>
      
      e.g.
      C:\Documents and Settings\Administrator>ldapsearch -p 636 -Z -P "C:\certs\cert7.
      db" -b "dc=ca,dc=com" -s base "(objectClass=*)"
      version: 1
      dn: dc=ca,dc=com
      objectClass: top
      objectClass: domain
      dc: ca
      
      
7. With the success of the ldapsearch, the cert7.db is ready to be used with Policy Server to Sun One LDAP connection. Open the Policy Server Management console and go to the "Data" tab. Specify the absolute path to this cert7.db file for the "Netscape Certificate Database File".
   
   
8. Go to the User Directory properties in the Policy Server admin GUI and configure and test the User Directory object for SSL connection. This would include specifying the SSL port and checking the "Use Secure Connection" on the "Credentials and Connections" tab.

References for certutil:

1. Using certutil in Directory Server 5.2 for SSL with Server and Client Authentication.
2. http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.