51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<?xml version="1.0" encoding="UTF-8"?>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<chapter xml:id='chap-connection-handlers'

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns:xlink='http://www.w3.org/1999/xlink'

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns:xinclude='http://www.w3.org/2001/XInclude'>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Configuring Connection Handlers</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Ports</primary><secondary>Configuring</secondary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter shows you how to configure OpenDJ directory server to

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark listen for directory client requests, using connection handlers. You can view

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark information about connection handlers in the OpenDJ Control Panel, and update

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the configuration using the <command>dsconfig</command> command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="configure-ldap-port">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>LDAP Client Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure LDAP client access by using the command-line tool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig</command>. By default you configure OpenDJ to listen for

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LDAP when you install.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The standard port number for LDAP client access is 389. If you

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark install OpenDJ directory server as a user who can use port 389 and the port

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is not yet in use, then 389 is the default port number presented at

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark installation time. If you install as a user who cannot use a port &lt; 1024,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark then the default port number presented at installation time is 1389.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="change-ldap-port">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Change the LDAP Port Number</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Change the port number using the <command>dsconfig</command>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAP Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set listen-port:11389

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This example changes the port number to 11389 in the configuration.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Restart the connection handler so the change takes effect.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para> To restart the connection handler, you disable it, then enable

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark it again.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAP Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAP Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="setup-server-cert">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Preparing For Secure Communications</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Certificates</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>One common way to protect connections between OpenDJ and client

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark applications involves using StartTLS for LDAP or LDAPS to secure

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark connections. OpenDJ and client applications use X.509 digital certificates

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to set up secure connections.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Both OpenDJ and client applications check that certificates are signed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by a trusted party before accepting them. Merely setting up a secure

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark connection therefore involves a sort of authentication using certificates.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark If either OpenDJ or the client application cannot trust the peer certificate,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark then the attempt to set up a secure connection must fail.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default OpenDJ client tools prompt you if they do not recognize the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server certificate. Other clients might not prompt you. OpenDJ server has no

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark one to prompt when a client presents a certificate that cannot be

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark trusted, so it must simply refuse to set up the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark connection.<footnote><para>Unless you use the Blind Trust Manager

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Provider, which is recommended only for test purposes.</para></footnote>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark In other words, it is important for both OpenDJ and client applications

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to be able to verify that peer certificates exchanged have been signed by

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a trusted party.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In practice this means that both OpenDJ and client applications must

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark put the certificates that were used to sign each others' certificates in their

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark respective trust stores. Conventionally, certificates are therefore signed by

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a Certificate Authority (CA). A CA is trusted to sign other certificates. The

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Java runtime environment for example comes with a trust store holding

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificates from many well-known CAs.<footnote><para><filename

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >$JAVA_HOME/jre/lib/security/cacerts</filename> holds the CA certificates.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark To read the full list, use the following command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -list

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -v

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore $JAVA_HOME/jre/lib/security/cacerts

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass changeit</screen></footnote> If your client uses a valid

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificate signed by one of these CAs, then OpenDJ can verify the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificate without additional configuration, because OpenDJ can find

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the CA certificate in the Java CA certificate trust store. Likewise if

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you set up StartTLS or LDAPS in OpenDJ using a valid certificate signed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by one of these CAs, then many client applications can verify the OpenDJ

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server certificate without further configuration.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In summary, if you need a certificate to be recognized automatically,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get the certificate signed by a well-known CA.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can, however, choose to have your certificates signed some other

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark way. You can set up your own CA. You can use a CA whose signing certificate

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is not widely distributed. You can also use self-signed certificates. In each

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark case, you must add the signing certificates into the trust store of each

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark peer making secure connections.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For OpenDJ directory server, you can choose to import your own CA-signed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificate as part of the installation process, or later using command-line

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark tools. Alternatively, you can let the OpenDJ installation program create a

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark self-signed certificate as part of the OpenDJ installation process. In

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark addition, you can add a signing certificate to the OpenDJ trust store using

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the Java <command>keytool</command> command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example shows the <command>keytool</command> command to

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark add a client application's binary format, self-signed certificate to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ trust store (assuming OpenDJ is already configured to use secure

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark connections). This enables OpenDJ to recognize the self-signed client

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark application certificate. (By definition a self-signed certificate is itself

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the signing certificate. Notice that the Owner and the Issuer are the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark same.)</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -import

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias myapp-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -file myapp-cert.crt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/truststore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass `cat /path/to/opendj/config/keystore.pin`

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkOwner: CN=My App, OU=Apps, DC=example, DC=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkIssuer: CN=My App, OU=Apps, DC=example, DC=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: 5ae2277

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Fri Jan 18 18:27:09 CET 2013 until: Thu Jan 13 18:27:09 CET 2033

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark MD5: 48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SHA256: 2D:B1:58:CD:33:40:E9:ED:...:EA:C9:FF:6A:19:93:FE:E4:84:E3

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Signature algorithm name: SHA256withRSA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Version: 3

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkExtensions:

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#1: ObjectId: 2.5.29.14 Criticality=false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSubjectKeyIdentifier [

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkKeyIdentifier [

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0000: 54 C0 C5 9C 73 37 85 4B F2 3B D3 37 FD 45 0A AB T...s7.K.;.7.E..

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0010: C9 6B 32 95 .k2.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkTrust this certificate? [no]: yes

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate was added to keystore</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When working with a certificate in printable encoding format (.pem)

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark rather than binary format, use the <option>-rfc</option> option, too.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Restart OpenDJ after adding certificates to the trust store to make

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark sure that OpenDJ reads the updated trust store file.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>On the client side, if your applications are also Java applications,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark then you can also import the OpenDJ signing certificate into the trust

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark store for the applications using the <command>keytool</command>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example shows the <command>keytool</command> command

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to export the OpenDJ self-signed certificate in binary format.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -export

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias server-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -file server-cert.crt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass `cat /path/to/opendj/config/keystore.pin`

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate stored in file &lt;server-cert.crt&gt;</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Importing the server certificate is similar to importing the client

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificate, as shown above.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following sections describe how to get and install certificates

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for OpenDJ directory server on the command line, for use when setting up

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark StartTLS or LDAPS.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="new-ca-signed-cert">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Request and Install a CA-Signed Certificate</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>First you create a server certificate in a Java Key Store. Next you

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark issue a signing request to the CA, and get the CA-signed certificate as a

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark reply. Then you set up the Key Manager Provider and Trust Manager Provider

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to rely on your new server certificate stored in the OpenDJ key store.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Generate the server certificate by using the Java

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>keytool</command> command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The CN attribute value is the FQDN for OpenDJ directory server, which

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you can see under Server Details in the OpenDJ Control Panel.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -genkey

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias server-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keyalg rsa

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -dname "CN=opendj.example.com,O=Example Corp,C=FR"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass changeit

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keypass changeit</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <note><para>Notice that the <option>-storepass</option> and

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <option>-keypass</option> options take identical password arguments.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ requires that you use the same password to protect both the keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and also the private key.</para></note>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create a certificate signing request file for the certificate you

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark generated.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -certreq

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias server-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass changeit

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -file server-cert.csr</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Have the CA sign the request

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark (<filename>server-cert.csr</filename>).</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>See the instructions from your CA on how to provide the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark request.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The CA returns the signed certificate.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <!-- Create a CA cert for signing certificates.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you have set up your own CA and signed the certificate, or are

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark using a CA whose signing certificate is not included in the Java runtime

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark environment, import the CA certificate into the key store so that it can be

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark trusted.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Otherwise, when you import the signed certificate in the reply from

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the (unknown) CA, <command>keytool</command> fails to import the signed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificate with the message <literal>keytool error: java.lang.Exception:

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Failed to establish chain from reply</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example illustrates import of a CA certificate created

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with the <command>openssl</command> command. See the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>openssl</command> documentation for instructions on creating CAs

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and on signing other certificates with the CA you created.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -import

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -file ca.crt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias ca-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass changeit

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkOwner: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkIssuer: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: d4586ea05c878b0c

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Tue Jan 29 09:30:31 CET 2013 until: Mon Jan 24 09:30:31 CET 2033

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark MD5: 8A:83:61:9B:E7:18:A2:21:CE:92:94:96:59:68:60:FA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SHA1: 01:99:18:38:3A:57:D7:92:7B:D6:03:8C:7B:E4:1D:37:45:0E:29:DA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SHA256: 5D:20:F1:86:CC:CD:64:50:...:DF:15:43:07:69:44:00:FB:36:CF

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Signature algorithm name: SHA1withRSA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Version: 3

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkExtensions:

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#1: ObjectId: 2.5.29.35 Criticality=false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAuthorityKeyIdentifier [

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkKeyIdentifier [

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0000: 30 07 67 7D 1F 09 B6 E6 90 85 95 58 94 37 FD 31 0.g........X.7.1

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0010: 03 D4 56 7B ..V.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerialNumber: [ d4586ea0 5c878b0c]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#2: ObjectId: 2.5.29.19 Criticality=false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBasicConstraints:[

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark CA:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark PathLen:2147483647

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#3: ObjectId: 2.5.29.14 Criticality=false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSubjectKeyIdentifier [

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkKeyIdentifier [

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0000: 30 07 67 7D 1F 09 B6 E6 90 85 95 58 94 37 FD 31 0.g........X.7.1

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0010: 03 D4 56 7B ..V.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkTrust this certificate? [no]: yes

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate was added to keystore</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Import the signed certificate from the CA reply into the keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark where you generated the server certificate.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In this example the certificate from the reply is

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <filename>~/Downloads/server-cert.crt</filename>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -import

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -trustcacerts

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias server-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -file ~/Downloads/server-cert.crt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass changeit

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keypass changeit

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate reply was installed in keystore</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Configure the File Based Key Manager Provider for JKS to use the file

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark name and key store PIN that you set up with the <command>keytool</command>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-key-manager-provider-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --provider-name JKS

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set key-store-pin:changeit

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --remove key-store-pin-file:config/keystore.pin

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Configure the File Based Trust Manager Provider for JKS to use the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark key store and PIN as well.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-trust-manager-provider-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --provider-name JKS

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set trust-store-file:config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set trust-store-pin:changeit

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>At this point, OpenDJ directory server can use your new CA-signed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificate, for example for StartTLS and LDAPS connection handlers.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you use a CA certificate that is not known to clients, such as a

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark CA that you set up yourself rather than a well-known CA whose certificate

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is included with the client system, import the CA certificate into the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark client application trust store. Otherwise the client application cannot

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark trust the signature on the OpenDJ CA-signed server certificate.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="new-self-signed-cert">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Create &amp; Install a Self-Signed Certificate</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you choose to configure LDAP Secure Access when setting up OpenDJ

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory server, the setup program generates a key pair in the Java Key

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Store <filename>/path/to/opendj/config/keystore</filename>, and self-signs

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the public key certificate, which has the alias <literal>server-cert</literal>.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The password for the key store and the private key is stored in clear text

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in the file <filename>/path/to/opendj/config/keystore.pin</filename>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you want to secure communications, but did not chose to configure

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LDAP Secure Access at setup time, this procedure can help. The following

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark steps explain how to create and install a key pair with a self-signed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificate in preparation to configure LDAPS or HTTPS. First you create a

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark key pair in a new Java Key Store, and then self-sign the certificate. Next,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you set up the Key Manager Provider and Trust Manager Provider to access

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the new server certificate in the new key store.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If instead you want to <emphasis>replace the existing server key pair

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with self-signed certificate</emphasis>, then first use <command>keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -delete -alias server-cert</command> to delete the existing keys before you

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark generate a new key pair with the same alias. You can also either reuse the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark existing password in <filename>keystore.pin</filename>, or use a new password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark as shown in the steps below.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Generate the server certificate using the Java

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>keytool</command> command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -genkey

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias server-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keyalg rsa

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -dname "CN=opendj.example.com,O=Example Corp,C=FR"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass changeit

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keypass changeit</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In this example, OpenDJ is running on a system with fully qualified

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark host name <literal>opendj.example.com</literal>. The Java Key Store (JKS)

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is created in the <filename>config</filename> directory where OpenDJ is

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark installed, which is the default value for JKS.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <note>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that the <option>-storepass</option> and

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <option>-keypass</option> options take identical password arguments.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ requires that you use the same password to protect both the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark key store and also the private key.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </note>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Keep track of the password provided to the <option>-storepass</option>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and <option>-keypass</option> options.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Self-sign the server certificate.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -selfcert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias server-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass changeit</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Configure the File Based Key Manager Provider for JKS to access the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Java Key Store with key store/private key password.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In this example, the alias is <literal>server-cert</literal> and the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password is <literal>changeit</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you are replacing a key pair with a self-signed certificate,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark reusing the <literal>server-cert</literal> alias and password stored in

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <filename>keystore.pin</filename>, then you can skip this step.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ echo changeit > /path/to/opendj/config/keystore.pin

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ chmod 600 /path/to/opendj/config/keystore.pin

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-key-manager-provider-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --provider-name JKS

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set key-store-file:config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set key-store-pin-file:config/keystore.pin

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Configure the File Based Trust Manager Provider for JKS to use the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark key store and PIN as well.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you skipped the previous step, you can also skip this step.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-trust-manager-provider-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --provider-name JKS

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set trust-store-file:config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set trust-store-pin-file:config/keystore.pin

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>At this point, OpenDJ directory server can use your new self-signed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificate, for example for StartTLS and LDAPS or HTTPS connection

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark handlers.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="configure-starttls">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>LDAP Client Access With Transport Layer Security</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>StartTLS</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>StartTLS (Transport Layer Security) negotiations start on the unsecure

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LDAP port, and then protect communication with the client. You can opt to

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark configure StartTLS during installation, or later using the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig</command> command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="setup-starttls-port">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Enable StartTLS on the LDAP Port</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Make sure you have a server certificate installed.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -list

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias server-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass `cat /path/to/opendj/config/keystore.pin`

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkserver-cert, Jun 17, 2013, PrivateKeyEntry,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Activate StartTLS on the current LDAP port.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAP Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set allow-start-tls:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set key-manager-provider:JKS

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set trust-manager-provider:JKS

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The change takes effect. No need to restart the server.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="configure-ssl">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>LDAP Client Access Over SSL</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>SSL</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure LDAPS (LDAP/SSL) client access by using the command-line

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark tool <command>dsconfig</command>. You can opt to configure LDAPS access

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark when you install.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The standard port number for LDAPS client access is 636. If you

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark install OpenDJ directory server as a user who can use port 636 and the port

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is not yet in use, then 636 is the default port number presented at

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark installation time. If you install as a user who cannot use a port &lt; 1024,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark then the default port number presented at installation time is 1636.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="setup-ssl-port">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Set Up LDAPS Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Make sure you have a server certificate installed.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -list

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias server-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass `cat /path/to/opendj/config/keystore.pin`

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkserver-cert, Jun 17, 2013, PrivateKeyEntry,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Configure the server to activate LDAPS access.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAPS Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set listen-port:1636

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set use-ssl:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This example changes the port number to 1636 in the configuration.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="change-ssl-port">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Change the LDAPS Port Number</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Change the port number using the <command>dsconfig</command>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAPS Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set listen-port:11636

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This example changes the port number to 11636 in the configuration.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Restart the connection handler so the change takes effect.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para> To restart the connection handler, you disable it, then enable

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark it again.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAPS Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAPS Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="restrict-clients">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Restricting Client Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Access control</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Using the OpenDJ directory server global configuration properties, you

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark can add global restrictions on how clients access the server. These settings

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark are per server, and so much be set independently on each server in replication

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark topology.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>These global settings are fairly coarse-grained. For a full discussion

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark of the rich set of administrative privileges and fine-grained access control

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark instructions that OpenDJ supports, see the chapter on <link

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="admin-guide#chap-privileges-acis"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Privileges &amp; Access Control</citetitle></link>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Consider the following global configuration settings.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>bind-with-dn-requires-password</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Whether the directory server should reject any simple bind request

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that contains a DN but no password. Default: <literal>true</literal></para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To change this setting use the following command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-global-configuration-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set bind-with-dn-requires-password:false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>max-allowed-client-connections</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Restricts the number of concurrent client connections to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory server. Default: 0, meaning no limit is set</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To set a limit of 32768 use the following command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-global-configuration-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set max-allowed-client-connections:32768

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>reject-unauthenticated-requests</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Rejects any request (other than bind or StartTLS requests) received

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark from a client that has not yet been authenticated, whose last

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark authentication attempt was unsuccessful, or whose last authentication

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attempt used anonymous authentication. Default: <literal>false</literal></para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To shut down anonymous binds use the following command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-global-configuration-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set reject-unauthenticated-requests:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>return-bind-error-messages</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Does not restrict access, but by default prevents OpenDJ directory

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server from returning extra information about why a bind failed, as that

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark information could be used by an attacker. Instead, the information is

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark written to the server errors log. Default: <literal>false</literal></para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To have OpenDJ return additional information about why a bind failed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark use the following command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-global-configuration-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set return-bind-error-messages:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="tls-protocols-cipher-suites">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>TLS Protocols &amp; Cipher Suites</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <primary>TLS</primary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default OpenDJ supports the SSL and TLS protocols and the cipher

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark suites supported by the underlying Java virtual machine. For details see the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark documentation for the Java virtual machine in which you run OpenDJ. For Oracle

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Java, see the <citetitle>Java Cryptography Architecture Oracle Providers

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Documentation</citetitle> for the <link xlink:show="new"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >The <literal>SunJSSE</literal> Provider</link>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To list the available protocols and cipher suites, read the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>supportedTLSProtocols</literal> and

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>supportedTLSCiphers</literal> attributes of the root DSE. Install

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark unlimited strength Java cryptography extensions for stronger ciphers.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >$ ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark supportedTLSCiphers supportedTLSProtocols

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn:

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: SSL_RSA_WITH_RC4_128_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: SSL_RSA_WITH_RC4_128_MD5

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSCiphers: TLS_EMPTY_RENEGOTIATION_INFO_SCSV

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSProtocols: SSLv2Hello

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSProtocols: SSLv3

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSProtocols: TLSv1

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSProtocols: TLSv1.1

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksupportedTLSProtocols: TLSv1.2

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can restrict the list of protocols and cipher suites used by setting

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the <literal>ssl-protocol</literal> and <literal>ssl-cipher-suite</literal>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark connection handler properties to include only the protocols or cipher suites

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you want.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, to restrict the cipher suites to

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</literal> and

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>TLS_RSA_WITH_AES_256_CBC_SHA</literal> use the <command>dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop</command> command as shown in the following

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAPS Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="setup-rest2ldap">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>RESTful Client Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>HTTP</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>JSON</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>REST</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <orderedlist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ offers two ways to give RESTful client applications HTTP access

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to directory data as JSON resources.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Enable the listener on OpenDJ directory server to respond

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to REST requests.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>With this approach, you do not need to install additional

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark software.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Configure the external REST LDAP gateway Servlet to access your

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory service.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>With this approach, you must install the gateway separately.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </orderedlist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="setup-rest2ldap-connection-handler">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Set Up REST Access to OpenDJ Directory Server</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ directory server has a handler for HTTP connections, where it

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark exposes the RESTful API demonstrated in the chapter on

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <link xlink:href="admin-guide#chap-rest-operations" xlink:show="new"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Performing

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark RESTful Operations</citetitle></link>. The HTTP connection handler is not

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark enabled by default.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure the mapping between JSON resources and LDAP entries

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by editing the configuration file for the HTTP connection handler, by

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default <filename>/path/to/opendj/config/http-config.json</filename>. The

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark configuration is described in the appendix, <link xlink:show="new"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="admin-guide#appendix-rest2ldap"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>REST LDAP

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Configuration</citetitle></link>. The default mapping works out of the box

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with Example.com data generated as part of the setup process and with

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <link xlink:show="new" xlink:href="http://opendj.forgerock.org/Example.ldif"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Example.ldif</link>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Enable the connection handler.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "HTTP Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Enable the HTTP access log.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-log-publisher-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --publisher-name "File-Based HTTP Access Logger"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This enables the HTTP access log,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <filename>opendj/logs/http-access</filename>. For details on the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark format of the HTTP access log, see the section on <link xlink:show="new"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="admin-guide#logging"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Server

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Logs</citetitle></link>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step performance="optional">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Try reading a resource.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The HTTP connection handler paths start by default at the root

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark context, as shown in the following example.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ curl http://bjensen:hifalutin@opendj.example.com:8080/users/bjensen

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ?_prettyPrint=true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark{

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "_rev" : "00000000315fb731",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "schemas" : [ "urn:scim:schemas:core:1.0" ],

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "manager" : [ {

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "_id" : "trigden",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "displayName" : "Torrey Rigden"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark } ],

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "contactInformation" : {

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "telephoneNumber" : "+1 408 555 1862",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "emailAddress" : "bjensen@example.com"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark },

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "_id" : "bjensen",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "name" : {

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "familyName" : "Jensen",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "givenName" : "Barbara"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark },

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "userName" : "bjensen@example.com",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "displayName" : "Barbara Jensen"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark}</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step performance="optional">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If necessary, change the connection handler configuration using the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig</command> command.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example shows how to set the port to 8443, and to

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark configure the connection handler to do SSL (using the default server

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificate). If you did not generate a default, self-signed certificate

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark when installing OpenDJ directory server see the instructions, <link

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:show="new" xlink:href="admin-guide#new-self-signed-cert"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>To Create &amp;

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Install a Self-Signed Certificate</citetitle></link>, and more generally the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark section on <link xlink:show="new"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="admin-guide#setup-server-cert"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Preparing For

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Secure Communications</citetitle></link> for additional instructions

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark including how to import a CA-signed certificate.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "HTTP Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set listen-port:8443

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set use-ssl:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set key-manager-provider:JKS

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set trust-manager-provider:"Blind Trust"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ stop-ds --restart

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkStopping Server...

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark.... The Directory Server has started successfully

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ keytool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -export

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -rfc

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -alias server-cert

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -keystore /path/to/opendj/config/keystore

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -storepass `cat /path/to/opendj/config/keystore.pin`

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark -file server-cert.pem

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate stored in file &lt;server-cert.pem&gt;

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ curl

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --cacert server-cert.pem

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --user bjensen:hifalutin

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark https://opendj.example.com:8443/users/bjensen?_prettyPrint=true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark{

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "_rev" : "0000000018c8b685",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "schemas" : [ "urn:scim:schemas:core:1.0" ],

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "contactInformation" : {

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "telephoneNumber" : "+1 408 555 1862",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "emailAddress" : "bjensen@example.com"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark },

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "_id" : "bjensen",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "name" : {

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "familyName" : "Jensen",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "givenName" : "Barbara"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark },

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "userName" : "bjensen@example.com",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "displayName" : "Barbara Jensen",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "manager" : [ {

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "_id" : "trigden",

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "displayName" : "Torrey Rigden"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark } ]

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark}</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="setup-rest2ldap-gateway">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Set Up OpenDJ REST LDAP Gateway</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Follow these steps to set up OpenDJ REST LDAP gateway Servlet to access

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark your directory service.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Download and install the gateway as described in <link

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="install-guide#install-rest2ldap-servlet"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>To Install

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ REST LDAP Gateway</citetitle></link>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Adjust the configuration for your directory service as described in

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <link xlink:href="admin-guide#appendix-rest2ldap"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>REST LDAP

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Configuration</citetitle></link>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="setup-dsml">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>DSML Client Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>DSML</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Directory Services Markup Language (DSML) client access is implemented

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark as a servlet that runs in a web application container.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure DSML client access by editing the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <filename>WEB-INF/web.xml</filename> after you deploy the web

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark application. In particular, you must at least set the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ldap.host</literal> and <literal>ldap.port</literal> parameters

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark if they differ from the default values, which are

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>localhost</literal> and <literal>389</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The list of DSML configuration parameters, including those that are

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark optional, consists of the following.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.host</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Required parameter indicating the host name of the underlying

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory server. Default: <literal>localhost</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.port</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Required parameter indicating the LDAP port of the underlying

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory server. Default: 389.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.userdn</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Optional parameter specifying the DN used by the DSML gateway to

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark bind to the underlying directory server. Not used by default.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.userpassword</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Optional parameter specifying the password used by the DSML gateway

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to bind to the underlying directory server. Not used by default.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.authzidtypeisid</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This parameter can help you set up the DSML gateway to do HTTP

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Basic Access Authentication, given the appropriate mapping between the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user ID, and the user's entry in the directory.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Required boolean parameter specifying whether the HTTP Authorization

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark header field's Basic credentials in the request hold a plain ID, rather

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark than a DN. If set to <literal>true</literal>, then the gateway performs an

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LDAP SASL bind using SASL plain, enabled by default in OpenDJ to look for

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark an exact match between a <literal>uid</literal> value and the plain ID

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark value from the header. In other words, if the plain ID is

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>bjensen</literal>, and that corresponds in the directory server

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to Babs Jensen's entry with DN

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=bjensen,ou=people,dc=example,dc=com</literal>, then the bind

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark happens as Babs Jensen. Note also that you can configure OpenDJ identity

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark mappers for scenarios that use a different attribute than

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid</literal>, such as the <literal>mail</literal>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Default: <literal>false</literal></para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.usessl</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Required parameter indicating whether <literal>ldap.port</literal>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark points to a port listening for LDAPS (LDAP/SSL) traffic. Default:

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>false</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.usestarttls</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Required parameter indicating whether to use StartTLS to connect

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the specified <literal>ldap.port</literal>. Default:

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>false</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.trustall</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Required parameter indicating whether blindly to trust all

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificates presented to the DSML gateway when using secure connections

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark (LDAPS or StartTLS). Default: <literal>false</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.truststore.path</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Optional parameter indicating the trust store used to verify

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certificates when using secure connections. If you want to connect

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark using LDAPS or StartTLS, and do not want the gateway blindly to trust

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark all certificates, then you must set up a trust store. Not used by

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ldap.truststore.password</literal></term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Optional parameter indicating the trust store password. If you

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set up and configure a trust store, then you need to set this as well.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Not used by default.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The DSML servlet translates between DSML and LDAP, and passes requests

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the directory server. For initial testing purposes, you might try

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <link xlink:href="http://jxplorer.org/">JXplorer</link>, where DSML Service:

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark /<replaceable>webapp-dir</replaceable>/DSMLServlet. Here,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>webapp-dir</replaceable> refers to the name of the directory

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in which you unpacked the DSML .war file.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <mediaobject xml:id="figure-jxplorer-dsml">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <imageobject>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <imagedata fileref="images/JXplorer-dsml.png" format="PNG" />

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </imageobject>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <caption><para>JXplorer accessing OpenDJ through DSML</para></caption>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </mediaobject>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="jmx-access">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>JMX Client Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>JMX</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure Java Management Extensions (JMX) client access by using

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the command-line tool, <command>dsconfig</command>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="setup-jmx">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Set Up JMX Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Configure the server to activate JMX access.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "JMX Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This example uses the default port number, 1689.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Restart the server so the change takes effect.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ stop-ds --restart</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="access-jmx">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Configure Access To JMX</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>After you set up OpenDJ directory server to listen for JMX connections,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you must assign privileges in order to allow a user to connect over

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark protocol.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Assign the privileges, <literal>jmx-notify</literal>,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>jmx-read</literal>, and <literal>jmx-write</literal> as

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark necessary to the user who connects over JMX.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>See the section on <link xlink:href="admin-guide#configure-privileges"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Privileges</citetitle></link> for details.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Connect using the service URI, user name, and password.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term>Service URI</term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Full URI to the service including the hostname or IP address

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and port number for JMX where OpenDJ directory server listens for

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark connections. For example, if the server IP is

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>192.168.0.10</literal> and you configured OpenDJ to listen

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for JMX connections on port 1689, then the service URI is

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>service:jmx:rmi:///jndi/rmi://192.168.0.10:1689/org.opends.server.protocols.jmx.client-unknown</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term>User name</term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The full DN of the user with privileges to connect over JMX such

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark as <literal>uid=kvaughan,ou=People,dc=example,dc=com</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term>Password</term>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The bind password for the user.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="ldif-access">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>LDIF File Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <primary>LDIF</primary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <secondary>File as backend</secondary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The LDIF connection handler lets you make changes to directory data

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by placing LDIF in a file system directory that OpenDJ server regularly

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark polls for changes. The LDIF, once consumed, is deleted.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure LDIF file access by using the command-line tool

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig</command>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="setup-ldif-access">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Set Up LDIF File Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Activate LDIF file access.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname opendj.example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDIF Connection Handler"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The change takes effect immediately.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Add the directory where you put LDIF to be processed.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ mkdir /path/to/opendj/config/auto-process-ldif</screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This example uses the default value of the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ldif-directory</literal> property for the LDIF connection

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark handler.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="snmp-access">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>SNMP Access</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For instructions on setting up the SNMP Connection Handler, see the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark section, <link xlink:href="admin-guide#snmp-monitoring"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>SNMP-Based

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Monitoring</citetitle></link>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</chapter>