• Created by Unknown User (tpacuszka), last modified on Jun 12, 2019

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

LDAP SSL connection is configured through xflicstat.cfg file.

Available settings:

LDAP_SSL_CERTIFICATE_KEY_FILE - path to file with certificate. Empty by default.
LDAP_SSL_CERTIFICATE_VERIFY - defines if LDAP server certificate should be verified. To turn it on set it to 'demand' to turn it off set it to 'allow'. Default 'demand'.
LDAP_SSL_KEYSTORE - path to keystore containing server certificate. Empty by default.
LDAP_SSL_KEYSTORE_PASSWORD - password to keystore. Default 'changeit'.
LDAP_SSL_KEYSTORE_TYPE - type of keystore (JKS and PKCS12 are allowed). Default 'jks'.

Configuration:

If you only need to encrypt data sent between License Statistics and LDAP server, then only thing you need to do is to set LDAP_SSL_CERTIFICATE_VERIFY to 'allow'. This way communication will be encrypted, but LDAP server certificate won't be verified.

If you want to level up your security then LDAP_SSL_CERTIFICATE_VERIFY has to be set to 'demand'. In most cases it should be enough, because License Statistics has root certificates from most Certified Authorities and is able to verify server certificate with them.

But if server certificate was not issued by one of our supported CAs (f.e. because it was generated from your company internal root certificate) then you will need to provide LDAP server certificate to License Statistics. There are two ways to do that.
1. Through certificate file. It is the easiest, and recommended way. You have to copy server root or intermediate certificate file to License Statistics host and provide path to this file under LDAP_SSL_CERTIFICATE_KEY_FILE in xflicstat.cfg.

Example
LDAP_SSL_CERTIFICATE_KEY_FILE = C:\MyDirectory\certificate.cer
LDAP_SSL_CERTIFICATE_VERIFY = demand

2. Through keystore with loaded certificate. If you already have keystore that contains LDAP server certificate and is of JKS or PKCS12 type then provide path to it in LDAP_SSL_KEYSTORE, password in LDAP_SSL_KEYSTORE_PASSWORD and its type in LDAP_SSL_KEYSTORE_TYPE.

Example
LDAP_SSL_CERTIFICATE_VERIFY = demand
LDAP_SSL_KEYSTORE = C:\MyDirectory\keystore.p12
LDAP_SSL_KEYSTORE_PASSWORD = Password123
LDAP_SSL_KEYSTORE_TYPE = PKCS12
  • No labels