How Is SSL for LDAP Implemented on PeopleTools 8.50?
· Prior to PeopleTools 8.50, LDAP over SSL dealt with the cert7.db or in PT 8.48 & 8.49 depending on app server platform the Oracle Wallet Manager. This db file contains the Trusted Root certificate of the Certificate Authority that issued the Server Certificate of the LDAP server and configure LDAP Business interlinks for SSL.
· In 8.50, for LDAP over SSL, the cert7.db or Oracle Wallet is no longer needed as Java Naming and Directory Interface (JNDI) has replaced Oracle and Netscape libraries. JNDI is a Java API for a directory service that allows Java software clients to discover and look up data and objects via a name. Like all Java APIs that interface with host systems, JNDI is independent of the underlying implementation.
· JNDI is delivered along with PeopleTools. There is no need of additional installations like in PT 8.48 & 8.49 the Oracle Client DB install required on UNIX, AIX, or LINUX platforms, or Netscape libraries required on Windows and Solaris.
· Certificates are no longer needed in the appserver domain either. They are managed from database. The same certificates can be used across the platforms without any packaging. PeopleCode for LDAP transactions do not need to hold the path of the certificates.
How Things Work
· The Root CA certificate has to be installed into the PeopleSoft database.
· The server certificate has to be installed in the Directory server.
· Since the certificates are managed in the database, SSL_DB parameter in the LDAP_SEARCH and LDAP_BIND Business Interlinks is not needed for the SSL transactions. However, changing the value of SSL_DB will not create any harm.
· The certificates can be added to or deleted from this location: Main Menu > PeopleTools > Security > Security Objects > Digital certificates.
· When a certificate is added or removed from the database, the appserver has to be bounced to see the effect.
· Some Root CA certs are delivered out of the box. Care should be taken so that they do not create unexpected behavior.
· It is not possible to use a certificate for specific SSL transactions. Once added, the certificate will be applicable for all SSL connections.
· Though any name can be given to the Root CA certs, a meaningful name is recommended.
· The JNDI will pick one certificate after the other until it finds a valid certificate. You cannot alter the order of the certificate processing.
· When upgrading to PeopleTools 8.50, your certificates should be added to the Digital certificates page.
· Since the certificates will be available in the database, the Business Interlink SSL_DB parameter in the LDAP BI transactions will not be of any significance.
To Set Up SSL With Your Directory, the Following Steps Need To Be Done(Extract from Peoplebooks)
Peoplebooks: Employing LDAP Directory Services
· Adding your Root Certificate to the Digital Certificates
- Navigate to PeopleTools > Security > Digital Certificates
§ The list of installed certificates appears.
§ Click the + (plus sign) button in the last row of the displayed certificates.
§ A blank row appears.
§ Select Root CA from the Type drop-down list box.
§ Enter a meaningful name as the alias of this certificate in the Alias field.
§ Click the Issuer Alias field prompt button.
§ The name of the Alias automatically populates the Issuer Alias field.
§ Click the Add Root link.
§ The Add Root Certificate page appears. Minimize the browser window.
§ Open the root CA certificate with a text editor and copy the contents.
§ Maximize the browser and paste the contents into the text box.
§ Click the OK button to see the new digital certificate.
§ Reboot the application server.
§ Select Test connectivity from Directory > Directory setup > "Test connectivity tab" to test.
0 comments:
Post a Comment