Connect to LDAP data source using SSL

Goal

This article describes how to connect to an LDAP data source using a secure connection.

Content

To connect to an LDAP data source using SSL follow these steps:

• Identify the LDAP server certificate, for instance: ‘server.pem’
• Copy the ‘server.pem’ file to a path local to the VDP server (e.g: C:/certs/server.pem).
• Using a SSL toolkit, convert the file from .pem to .cer, for instance, using OpenSSL:

• openssl x509 -outform der -in "C:/certs/server.pem" -out "C:/certs/server.cer"

• Import the certificate into a java trustStore. There are two options:

• Import the certificate in the cacerts (default trustStore). To perform this option  execute the following steps:

• Execute the following command:

"<DENODO_HOME>/jre/bin/keytool" -import -alias ldapSSL -file "C:/certs/server.cer" -keystore "../lib/security/cacerts"

• You will be prompted for the password, the default password is changeit
• Answer yes when asked to trust the certificate.

• Create a new trustStore (for the example in <DENODO_HOME>/certs/truststore.jks)  and import the certificate into it. To perform this option follow these steps:

• Execute the following command:

<DENODO_HOME>/jre/bin/keytool" -import -alias ldapSSL -file "C:/certs/server.cer" -keystore "<DENODO_HOME>/certs/truststore.jks"

• Modify the VDP server configuration file to use this truststore instead of the default one:

Edit <DENODO_HOME>/conf/vdp/VDBConfiguration.properties

Uncomment and modify the property: com.denodo.security.ssl.trustStore=<DENODO_HOME>/certs/truststore.jks

• Restart the VDP server to apply the changes.
• Open the VDP administration tool and select the LDAP data source to secure.
• Modify the Server URI of the data source from ldap://hostname:port to ldaps://hostname:<SSL_PORT>
  

Note: if you are getting an error during the connection handshake when specifying the port number in the URI, you could also try with ldaps://hostname without specifying the port.

Troubleshooting: No subject alternative DNS name matching <HOSTNAME> found.

Due to some changes in recent Java versions (since 1.8.181 and newer), the endpoint verification has been enabled by default for LDAPS connections. This could lead to the following error message, when trying to connect via LDAPS to your source:

The error message indicates that the hostname used for connecting to the LDAP Server (i.e. in the Server URI ldaps://hostname) does not match with the CN or any subject alternative name (SAN) specified in the certificate.

Solution

There are different solutions to address that issue.

• Contact the LDAP administrator in order to request a new certificate with the correct CN / SAN. This is the preferred method of solving that problem.
• Disable the endpoint identification. This can be done by following these steps:

1. Stop your Virtual DataPort Server.
2. Navigate to the file <DENODO_HOME>/conf/vdp/VDBConfiguration.properties
3. Search for the property java.env.DENODO_OPTS_START=... within that file.
4. Append the value -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to the value of that property.
5. Run the script <DENODO_HOME>/bin/regenerateFiles
6. Now when starting the Virtual DataPort Server, the issue should not appear again.

• Add a new entry in your hosts file and change the hostname to the one specified in the certificate.

Example: If the CN inside your LDAP SSL certificate is host1, but the LDAP Server hostname you are connecting to is host2, you need to add an entry in the hosts file similar to this to map the IP address of host2 to host1:

        <IP_ADRESS_OF_HOST2> host1

Now if you change the Server URI in your LDAP data source to host1 you should be able to access the LDAP Server via SSL, as the CN of the certificate and the hostname match.