Enabling LDAP SSL

The LDAP SSL connection is configured in the xflicstat.cfg file.

Available settings

Available settings include the following.

Configuration

If you only need to encrypt data sent between License Statistics and the LDAP server, all you need to do is set the LDAP_SSL_CERTIFICATE_VERIFY to 'allow'. This way, communication will be encrypted, but the LDAP server certificate won't be verified.

If you want to increase security, set LDAP_SSL_CERTIFICATE_VERIFY to 'demand'. In most cases, this should be sufficient, because License Statistics has root certificates from most Certified Authorities and is able to verify server certificates with them. However, if the server certificate was not issued by one of our supported CAs (e.g., because it was generated from your company's internal root certificate), you will need to provide an LDAP server certificate to License Statistics. There are two ways to do this, as described below.

Method 1: Through the certificate file.

This is the easiest, recommended method. You have to copy the server root or intermediate certificate file to the License Statistics host and provide the path to this file under LDAP_SSL_CERTIFICATE_KEY_FILE in the xflicstat.cfg file.

LDAP_SSL_CERTIFICATE_KEY_FILE = C:\MyDirectory\certificate.cer
LDAP_SSL_CERTIFICATE_VERIFY = demand

Method 2: Through the keystore with a loaded certificate.

If you already have keystore that contains LDAP server certificate and is of JKS or PKCS12 type, you can provide the path to the keystore in LDAP_SSL_KEYSTORE and the keystore password in LDAP_SSL_KEYSTORE_PASSWORD.

LDAP_SSL_CERTIFICATE_VERIFY = demand
LDAP_SSL_KEYSTORE = C:\MyDirectory\keystore.p12
LDAP_SSL_KEYSTORE_PASSWORD = Password123