SSL support

The embedded LDAP server provides an SSL interface for management of the data contained in the user registry.

The embedded LDAP server listens on port 636 of the management interface of the appliance by default. The administrator can choose a port other than the default by modifying the advanced tuning parameter wga.rte.embedded.ldap.ssl.port. The advanced tuning parameters are accessed through System > Advanced Tuning Parameters. After we modify this advanced tuning parameter, we must restart the ISAM runtime environment for the change to take effect.

The SSL certificates used by the LDAP server can be managed through the SSL Certificates panels of the LMI. For further details, see Manage SSL certificates. The certificates are contained in the embedded_ldap_keys database file.

Two certificates are used by the LDAP server:

1. The certificate with the server label is used as the server certificate by the LDAP server. By default, the server certificate is a self-signed certificate. But this should be replaced in a production environment.
2. The certificate with the ca label is used as the CA certificate by the LDAP server. If no ca certificate is found in the key database, the server then uses the server certificate as the CA certificate. That is, it expects the server certificate to be a self-signed certificate.

In addition to this, the LDAP server can support mutual authentication by client certificates, providing that:

1. The client certificate has been signed by the CA that is known to the LDAP server. That is, the CA certificate is stored in the keyfile with a label of ca.
2. The distinguished name (DN) contained in the client certificate precisely matches a known LDAP user.

The FIPS setting of the appliance controls the ciphers that are supported by the OpenLDAP server.

Parent topic: Embedded LDAP server management