Short correction: The URL is of course ldaps (not https) > -----Ursprüngliche Nachricht----- > Von: Thomas Hoffmann (Speed4Trade GmbH) > <thomas.hoffm...@speed4trade.com.INVALID> > Gesendet: Montag, 19. September 2022 08:38 > An: Tomcat Users List <users@tomcat.apache.org> > Betreff: AW: HOW TO ENABLE LDAPS ON TOMCAT 8.5 > > Hello, > > > -----Ursprüngliche Nachricht----- > > Von: rakesh meka <rakeshmeka67...@gmail.com> > > Gesendet: Sonntag, 18. September 2022 22:57 > > An: Tomcat Users List <users@tomcat.apache.org> > > Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5 > > > > Hi Thomas, > > > > Thanks your so much for the quick response and help. > > > > Having read all the response clearly once again.Not sure if I'm being > foolish. > > > > First question: > > > > So here in general, I would like to just summarize that client will be > > the application server where I have tomcat installed & application is > deployed. > > Server will the domain controller server(LDAPs certificate to be > > installed as per the below Microsoft article). > > > > Please correct me if the understanding is correct ? > > Yes, private key (e.g. pfx) is installed on the server side, the AD domain > controller, let's call it AD > > > Second Question: > > > > LDAPs certificate is to be installed domain controller. So that all > > the other apps on different app servers can query by having connection > > to domain controller (in other terms LDAPs server). > > > > The server needs the pfx-file (private key) and also the certificates (end- > certificate and intermediates if not already present). > The private key is stored secretly and the certificate + intermediates are > sent > to the client during initial handshake. > > > > > Third Question: > > > > Domain controller does already have the required certificates > > installed for LDAP authentication already because previously when I > > tried with port no:389. I could see successful LDAP Connection > > established & user could login successfully. > > > > So now inorder to change from LDAP to LDAPS. Can now please let me > > know the how could I proceed further > > > > IF LDAPS certificate to installed on the APPLICATION SERVER: > > --------------------------------- > > 1. generate the certificate request using keytool. Following the same > > process as per article 2. Csr 3. Get it signed by CA. > > 4. Keep CA's certificate in Java truststore. > > 5. Then make the port changes & host(domain/LDAP server name). > > 6. Restart the tomcat so that webapp is deployed automatically. > > The client only needs the CA certificate. Certificate requests are not needed, > this is only done once for the server part. > If an official CA was used (e.g. verisign), then the java client normally > already > has the CA certificate in the truststure. > If not, you have to import the CAs certificate. The URL hast to change to > https and the LDAPS-port 636. > > The client needs to be able to validate the certificate. For this validation, > the > certificates which are sent by the server are used (end-certificate, > intermediates) and last but not least the CA certificate is used. This builds > up > a validation chain from the root-CA, intermediates up to the end-certificate. > As the client trusts the root-CA, it also can trust the servers certificate > (end- > certificate). > > > Thanks & Regards, > > Meka Rakesh. > > > > > > > > On Sun, Sep 18, 2022, 4:46 PM Thomas Hoffmann (Speed4Trade GmbH) > > <thomas.hoffm...@speed4trade.com.invalid> wrote: > > > > > Hello, > > > > > > > -----Ursprüngliche Nachricht----- > > > > Von: rakesh meka <rakeshmeka67...@gmail.com> > > > > Gesendet: Sonntag, 18. September 2022 11:53 > > > > An: Tomcat Users List <users@tomcat.apache.org> > > > > Betreff: Re: HOW TO ENABLE LDAPS ON TOMCAT 8.5 > > > > > > > > Hi Thomas, > > > > > > > > Good day > > > > > > > > Thanks for the Response. > > > > > > > > I'm not using self signed certificate. I have given the csr file > > > > to our organization certificate admin team. And they got it signed > > > > by some third party vendor and gave me root& intermediate &domain > > > > certificate where I already installed them using keytool on server > > > > side. However, I didn't > > > kept > > > > those in Java truststore. > > > > > > > > So I confirm that domain certificate is not self signed. > > > > > > > > I got to know from one of my colleague that for LDAPs also we need > > > > to generate certificate similarly like domain certificate. Is it > > > > true? If > > > yes can you > > > > let me how to generate the certificate for LDAPs. > > > > > > > > Application: used by internal purpose Server : windows > > > > server(actually LDAP authentication certificate is > > > already > > > > configured with windows truststore itseems). > > > > > > > > > > > > > > > > Thanks and Regards > > > > Meka Rakesh. > > > > > > All the certificates based on public/private key work the same. > > > Server needs private key and client needs public key(s). > > > The only difference is the meta-data attached to the public key > > > which then gets signed by a CA together with the public key. > > > The required meta-data (OID etc) is described here: > > > https://learn.microsoft.com/en-us/troubleshoot/windows-server/identi > > > ty /enable-ldap-over-ssl-3rd-certification-authority > > > > > > So for using a java client, you only need to ensure that the public > > > key/certificate of the signing CA (and intermediate certificates) > > > are available in the java truststore. > > > If correctly configured, the intermediate certificates are provided > > > by the server, thus only the CA certificate is required on the client > > > side. > > > Usually the CAs certificate and the intermediates are sent back > > > together with signed key (e.g. by verisign, thawte ...) You can also > > > open your LDAPs certificate on windows and take a look at the > > > certification tree. From there you can also double click on the > > > needed certificate and export it if needed. > > > Which certificates (intermediates) are provided by the server can be > > > checked via openssl. > > > > > > Greetings, Thomas > > > > > > > On Sun, Sep 18, 2022, 12:31 PM Thomas Hoffmann (Speed4Trade > GmbH) > > > > <thomas.hoffm...@speed4trade.com.invalid> wrote: > > > > > > > > > Hello, > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > Von: rakesh meka <rakeshmeka67...@gmail.com> > > > > > > Gesendet: Sonntag, 18. September 2022 05:03 > > > > > > An: Tomcat Users List <users@tomcat.apache.org> > > > > > > Betreff: HOW TO ENABLE LDAPS ON TOMCAT 8.5 > > > > > > > > > > > > Hi All , > > > > > > > > > > > > Greetings for the day! Hope you are doing Great . > > > > > > > > > > > > Currently of the application is deplye Don the tomcat 8.5 uses > > > > > > LDAP > > > > > protocol > > > > > > for AD authentication of sap users. I need to change the LDAP > > > > > > to > > > LDAPS. > > > > > So I > > > > > > installed domain certificate using keytool. But when i change > > > > > > the port number to 636 I see an error saying LDAP Connection > > > > > > has been > > > > closed. > > > > > > > > > > > > I need your help to how to enable the process for > > > > > > enabling/Changing > > > > > LDAPS. > > > > > > Do I need to import the LDAP certificate to the tomcat > > > > > > truststore and > > > > > then > > > > > > import certificate to keystore ? > > > > > > > > > > > > > > > > > > Thanks in Advance, > > > > > > > > > > > > Meka Rakesh. > > > > > > > > > > If you are using a self signed certificate on server-side, then > > > > > you need to import the corresponding certificate (signed public > > > > > key) to the java truststore. > > > > > Keystore is used for private keys and not relevant in this case. > > > > > > > > > > Greetings, Thomas > > > > > > > > > > > -------------------------------------------------------------------- > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > >
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
