Versions Compared

Old Version 2

changes.mady.by.user Unknown User (tpacuszka)

Saved on

compared with

New Version 3

changes.mady.by.user Unknown User (tpacuszka)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Ldap ssl connection is configured through keysxflicstat.cfg file.

Available settings:

LDAP_SSL_CERTIFICATE_KEY_FILE - path to file with certificate. Empty by default.
LDAP_SSL_CERTIFICATE_VERIFY - defines if ldap server certificate should be verified. To turn it on set it to 'demand' to turn it of off set it to 'allow'. Default 'demand'.
LDAP_SSL_KEYSTORE - path to keystore containing server certificate. Empty by default.
LDAP_SSL_KEYSTORE_PASSWORD - password to keystore. Default 'changeit'.
LDAP_SSL_KEYSTORE_TYPE - type of keystore (JKS and PKCS12 are allowed). Default 'jks'.

Every key should be either commented out or non-empty. Commented setting has default value.

Configuration:

If you only need to encrypt data sent between License Statistics and ldap server, then only thing you need to do is to set LDAP_SSL_CERTIFICATE_VERIFY to 'allow'. This way communication is will be encrypted, but ldap server certificate is not verified. Because of that you can't tell if the server has valid certificate or notwon't be verified.

If you want to always be sure that ldap server has valid certificate level up your security then LDAP_SSL_CERTIFICATE_VERIFY has to be set to 'demand'. In most cases it should be enough, because License Statistics has root certificates from most trusted Certified Authorities and is able to verify server certificate with them.

But if server certificate was not issued by one of our supported CAs (f.e. because it was generated from your company internal root certificate) then you will need to provide ldap server certificate to License Statistics. There are two ways to do that.
1. Through certificate file. It is the easiest, and recommended way. You have to copy server certificate file to License Statistics host and provide path to this file under LDAP_SSL_CERTIFICATE_KEY_FILE in xflicstat.cfg.

Code Block
languagetext
titleExample
LDAP_SSL_CERTIFICATE_KEY_FILE = C:\MyDirectory\certificate.cer
LDAP_SSL_CERTIFICATE_VERIFY = demand
# LDAP_SSL_KEYSTORE =
# LDAP_SSL_KEYSTORE_PASSWORD =
# LDAP_SSL_KEYSTORE_TYPE =

2. Through keystore with loaded certificate. If you already have keystore that contains ldap server certificate and is of JKS or PKCS12 (how to check it?) then
type then provide path to it in LDAP_SSL_KEYSTORE, password in LDAP_SSL_KEYSTORE_PASSWORD and its type in LDAP_SSL_KEYSTORE_TYPE.1. When to use demand and allow for verify
2. What is root certificate
3. What is CA

Code Block
languagetext
titleExample
# LDAP_SSL_CERTIFICATE_KEY_FILE = 
LDAP_SSL_CERTIFICATE_VERIFY = demand
LDAP_SSL_KEYSTORE = C:\MyDirectory\keystore.p12
LDAP_SSL_KEYSTORE_PASSWORD = Password123
LDAP_SSL_KEYSTORE_TYPE = PKCS12