返回
-
标题
Understanding the LDAP SSL implementation in the Stat Central Agent for HTTPS -
说明
We are trying to enable SSL working on the Stat application login page and also with our LDAP connections from Stat to our LDAP (Active Directory).The need is to enable LDAP SSL to work in combination with SCA configured for HTTPS. The documentation looks like a bit confuse about the certicates, what are these, where to import, and so on. -
原因
Two distinct setup. -
解决办法
It's important to do not mix the issues. In fact the configuration is quite simple and it's important to approach to it separately as that are two distinct setups.- Configure SCA with HTTPS- Configure LDAP with SSLThat means that you can run the two configuration separately and/or combined together in different combination. For example, you can- run the SCA in HTTP and HTTPS- configure LDAP with or without SSL and use it in HTTP and/or HTTPSThis means that the two or more configuration/combination can run independently and for this the suggestion is to follow the Upgrade Notes and/or Sys Admin to configure them separately at the first instance.Solution:1. Configure SCA in HTTPS using the certificate you have or create a new self-signed and make sure it works without any LDAP setting the first time.2. If it works then try to set the simple LDAP over your HTTPS configuration.3. Once all of the above works, try to implement the LDAP with SSL configuration following what reported in the Sys Admin | LDAP Configuration.Basically for this point, enabling SSL, you have to know:- If your site is equipped to use SSL and you want to use it to encrypt communication between Stat and the LDAP server in order to specify the location path of the SSL keystore for the Stat Cental Agent (Agent Keystore) or for the SCA, you can leave the Agent Keystore field blank and make sure that jssecacerts file exists in the JAVA_HOME/jre/lib/security directory and that jssecacerts contains the LDAP certificate.- If both your Stat Central Agent and your LDAP server are running in secure mode, you have to rely on $JAVA_HOME/jre/lib/security/jssecacerts to contain both the LDAP certificate and the Stat Central Agent certificate. In this case, Agent Keystore field should be left blank.4. The above point means you can also have/test the LDAP + SSL in HTTP. As you can note the issue can run separately.NOTE: All about create, generate, import/export of the certificates is out of Stat control and if there are issues with that you have to involve your network or security team because it involve the usage of third-party product and application, like Java keytool, openssh, etc.