Hi Thomas, Thanks your so much for the quick response and help.
Having read all the response clearly once again.Not sure if I'm being foolish. First question: So here in general, I would like to just summarize that client will be the application server where I have tomcat installed & application is deployed. Server will the domain controller server(LDAPs certificate to be installed as per the below Microsoft article). Please correct me if the understanding is correct ? Second Question: LDAPs certificate is to be installed domain controller. So that all the other apps on different app servers can query by having connection to domain controller (in other terms LDAPs server). Third Question: Domain controller does already have the required certificates installed for LDAP authentication already because previously when I tried with port no:389. I could see successful LDAP Connection established & user could login successfully. So now inorder to change from LDAP to LDAPS. Can now please let me know the how could I proceed further IF LDAPS certificate to installed on the APPLICATION SERVER: --------------------------------- 1. generate the certificate request using keytool. Following the same process as per article 2. Csr 3. Get it signed by CA. 4. Keep CA's certificate in Java truststore. 5. Then make the port changes & host(domain/LDAP server name). 6. Restart the tomcat so that webapp is deployed automatically. Thanks & Regards, Meka Rakesh. On Sun, Sep 18, 2022, 4:46 PM Thomas Hoffmann (Speed4Trade GmbH) <thomas.hoffm...@speed4trade.com.invalid> wrote: > Hello, > > > -----Ursprüngliche Nachricht----- > > Von: rakesh meka <rakeshmeka67...@gmail.com> > > Gesendet: Sonntag, 18. September 2022 11:53 > > An: Tomcat Users List <users@tomcat.apache.org> > > Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5 > > > > Hi Thomas, > > > > Good day > > > > Thanks for the Response. > > > > I'm not using self signed certificate. I have given the csr file to our > > organization certificate admin team. And they got it signed by some third > > party vendor and gave me root& intermediate &domain certificate where I > > already installed them using keytool on server side. However, I didn't > kept > > those in Java truststore. > > > > So I confirm that domain certificate is not self signed. > > > > I got to know from one of my colleague that for LDAPs also we need to > > generate certificate similarly like domain certificate. Is it true? If > yes can you > > let me how to generate the certificate for LDAPs. > > > > Application: used by internal purpose > > Server : windows server(actually LDAP authentication certificate is > already > > configured with windows truststore itseems). > > > > > > > > Thanks and Regards > > Meka Rakesh. > > All the certificates based on public/private key work the same. > Server needs private key and client needs public key(s). > The only difference is the meta-data attached to the public key which then > gets signed by a CA together with the public key. > The required meta-data (OID etc) is described here: > https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority > > So for using a java client, you only need to ensure that the public > key/certificate of the signing CA (and intermediate certificates) are > available in the java truststore. > If correctly configured, the intermediate certificates are provided by the > server, thus only the CA certificate is required on the client side. > Usually the CAs certificate and the intermediates are sent back together > with signed key (e.g. by verisign, thawte ...) > You can also open your LDAPs certificate on windows and take a look at the > certification tree. From there you can also double click on the needed > certificate and export it if needed. > Which certificates (intermediates) are provided by the server can be > checked via openssl. > > Greetings, Thomas > > > On Sun, Sep 18, 2022, 12:31 PM Thomas Hoffmann (Speed4Trade GmbH) > > <thomas.hoffm...@speed4trade.com.invalid> wrote: > > > > > Hello, > > > > > > > -----Ursprüngliche Nachricht----- > > > > Von: rakesh meka <rakeshmeka67...@gmail.com> > > > > Gesendet: Sonntag, 18. September 2022 05:03 > > > > An: Tomcat Users List <users@tomcat.apache.org> > > > > Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5 > > > > > > > > Hi All , > > > > > > > > Greetings for the day! Hope you are doing Great . > > > > > > > > Currently of the application is deplye Don the tomcat 8.5 uses LDAP > > > protocol > > > > for AD authentication of sap users. I need to change the LDAP to > LDAPS. > > > So I > > > > installed domain certificate using keytool. But when i change the > > > > port number to 636 I see an error saying LDAP Connection has been > > closed. > > > > > > > > I need your help to how to enable the process for enabling/Changing > > > LDAPS. > > > > Do I need to import the LDAP certificate to the tomcat truststore > > > > and > > > then > > > > import certificate to keystore ? > > > > > > > > > > > > Thanks in Advance, > > > > > > > > Meka Rakesh. > > > > > > If you are using a self signed certificate on server-side, then you > > > need to import the corresponding certificate (signed public key) to > > > the java truststore. > > > Keystore is used for private keys and not relevant in this case. > > > > > > Greetings, Thomas > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
