How to configure LDAP for SSL (Secure) Connections

(Last modified: 16Jan2003)

This document (10023209) is provided subject to the disclaimer at the end of this document.

goal

How can I set up LDAP to use Secure Socket Layer (SSL)?

fact

Novell LDAP version 3.x

Novell LDAP version 85.x

symptom

LDAP works fine without SSL

fix

This solution assumes use of NDS-based certificates, not third-party certificates.

This solution assumes LDAP is correctly installed on the server and is working without SSL.

This solution is provided for configuration of LDAP for SSL on NetWare only. The configuration for other platforms will be very similar in process, although steps might be slightly different. See also: NLDAP Configuration on NDS for NT (Quick Start): Solution 10027104.

This solution uses Netscape Communicator as the example application for LDAPS client.

Secure connections through an NDS LDAP (LDAPS) server are provided through the Novell Certificate Server and the Organizational Certificate Authority. An NDS tree must first be configured properly for security before SSL will work with LDAP, HTTP, or other applications. This includes installing an Organizational Certificate Authority (CA), which will issue and validate all certificates for the tree. Novell Certificate Server provides public key cryptography services that are natively integrated into Novell Directory Services and that allow you to mint, issue, and manage both user and server certificates. These services allow you to protect confidential data transmissions over public communications channels such as the Internet. For more information about installing Novell Certificate Server, see product documentation at http://www.novell.com/documentation/lg/crt203ad/index.html. However, be aware that Novell Certificate Server must be installed on any server that is going to provide SSL LDAP services. It must also be installed on the server functioning as the Organizational CA (this may be the same as the LDAP server or may be a different server.) Novell Certificate Server is installed by default on all NetWare 5.1 installations. For NetWare 5.0 or for reinstallation, the product can be downloaded at http://www.novell.com/download./ under the NDS section. Choose the server that will function as the Organizational CA carefully; it cannot be changed and if it goes down, it is possible that all certificates issued by that CA will be rendered invalid.

Once these products have been correctly installed, an Organizational CA object should be present inside the Security container at the top of the NDS tree.

Next, a Key Material Object (KMO) needs to be created for the LDAP server so that a Public/Private certficate set can be generated. The KMO will hold the certificates that will be used for SSL connections. A single KMO can be used for multiple applications (for the same server) or for a single application. This is done by the following:
1) Launch ConsoleOne (the latest versions will work the best, and should be run locally from a workstation for best performance. The latest versions of ConsoleOne can be downloaded from http://www.novell.com/download./
2) Open the container where the LDAP and NDS server objects exist. Create a new object of type "NDSPKI: Key Material." Name it for the function that it will provide, such as "LDAP SSL." A server needs to be chosen as the owner of this certificate. Choose the same server as the LDAP server. The server name will automatically be appended to the end of the name. Complete the wizard with the appropriate information to create the object. The default configuration should work fine, but custom setup is possible. Once created, the new object should show up with a key for its icon.
3) Connect the KMO to the LDAP server. Open the LDAP server properties and click on the "SSL Configuration" tab. Click on the browse button next to the "SSL Certificate" field. A list of all certificate pairs for this NDS server will be shown. Choose the appropriate certificate pair to associate with the LDAP server. Note the port number for SSL connections. Default is 636. Close the object.

Next, when you normally make an SSL connection using a web browser, the connection is made transparently in the background. This is because the web browsers already have the major Public Certificate Authorities imported as trusted roots. This tells the browser to trust those authorities for verifying certificates. Since the Organizational CA for your NDS tree is not publicly known, you need to import it into your web browser (or whatever application will be used for making the LDAPS connection). To import the trusted root, it must first be exported from your NDS tree. There are two ways to do this using ConsoleOne. First, you can open the properties of the Organizational CA inside the Security container. There is a tab called "Public Key Certificate." Choose the EXPORT button at the bottom of that tab to export the CA as a trusted root. Alternatively, this can be done from the KMO object, but instead of exporting the Public Key Certificate, you would then export the Trusted Root Certificate. This is the exact same thing as the Public Key Certificate of the Organizational CA. Either way, the certificate should be exported in binary DER format. Once imported into a web browser, this certificate tells the application to trust all material verified by your Organizational CA, and therefore, an SSL connection (LDAPS or HTTPS) would be allowed. Without this, there is no way to make an SSL connection to that server using Netscape.

Importing the trusted root certificate into Netscape is somewhat difficult because the default application extension for certificates is owned by Microsoft Internet Explorer. Therefore, even if you try to open the certificate with Netscape, the Microsoft Certificate Import Wizard will launch to import that certificate. To get around this, Netscape owns an alternative certificate extension, X509. Once the certificate has been exported with a DER extension, it should be renamed with a X509 extension. Then, the workstation that is going to use the certificate needs to have the X509 extension introduced and associated. To do this, run a registry file that will automatically add the necessary settings to the Windows registry. This file is located at SYS:\PUBLIC\MGMT\X509.REG. If Netscape was open, close and reopen it so that it sees the new application extension. Then use the File | Open Page... menu option to browse to and open the exported certificate. Netscape's Certificate Import Wizard should then launch and guide you through importing the trusted root. Once installed, the imported trusted root can be edited, verified, and deleted using the big SECURITY button in the Netscape Browser window, inside of the SIGNERS section.

Now that the Organizational CA has been imported, all certificates from your NDS tree should work with Netscape if so configured. To test this, try a query like "ldaps://myserver.novell.com/??sub". The "ldaps://" is similar to "https://", although the padlock in the browser will not light up. If the query returns results, then SSL is working successfully with LDAP. To be sure, you can watch the DSTrace screen. For more information on testing LDAP see How to test whether LDAP is working properly: Solution 10059954..

document

Document Title:	How to configure LDAP for SSL (Secure) Connections
Document ID:	10023209
Solution ID:	1.0.43609329.2449921
Creation Date:	13Dec1999
Modified Date:	16Jan2003
Novell Product Class:	Connectivity Products Groupware NetWare Novell BorderManager Services Novell eDirectory Web Services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.