Problem

-- What does the "use SSL" checkbox actually do in an LDAP connection and why does it seem to sometimes make the 'test connection' button fail in Policy Studio?

Resolution

* The true meaning behind the “SSL enabled” flag as far as the API Gateway is concerned is as follows:

If this flag is ON, the API Gateway will check to see if the SSL server certificate presented by the LDAP directory is contained within the Certificate Store i.e. the API Gateway’s entity store configuration. If the certificate is found there then the API Gateway can connect to the LDAP Directory over SSL. When using the certificate store it does not appear to matter whether LDAP or LDAPS is used on the Provider URL. Obviously the SSL port is used in the URL. The following code is always executed when this option is on:-

env.put(Context.SECURITY_PROTOCOL, "ssl");

If this flag is OFF, the API Gateway will check to see if the SSL server certificate presented by the LDAP directory is contained within the JRE trust store i.e. /apigateway/Linux.x86_64/jre/lib/security/cacerts If the certificate is found there then the API Gateway can connect to the LDAP Directory over SSL. When using the JRE trust store LDAPS must be used on the Provider URL. Always restart the API Gateway when adding to the cacerts file. The password for cacerts keystore is “changeit”.

If the API Gateway was configured to look in the Certificate Store for the LDAP Directory server certificate and it was not there, there will be an exception in the trace:

java.security.cert.CertificateException at com.vordel.common.ldap.VordelTrustManager.checkServerTrusted(VordelTrustManager.java:44

If the API Gateway was configured to look in the JRE trust store for the LDAP Directory server certificate and it was not there, this exception will appear in the server trace:

Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Policy Studio - Test Connection Button

Policy Studio 7.4.0 requires SP1 or later to fix the "Unconnected sockets not implemented" exception when attempting to use this. It was found that it operated in the same way as the API Gateway, i.e. it could use the Cert Store or the JRE trust store to verify the certificate. Note that when you use “Test Connection”, the Policy Studio is the client in the connection to the LDAP Directory, not the API Gateway. The cert store that it uses is the current Cert Store the Policy Studio user is editing. The JRE cert store is the Policy Studio JRE trust store, i.e. /policystudio/jre/lib/security/cacerts

Policy Studio must be restarted for changes to the cacerts file to be taken into account. As with the API Gateway, it uses the Cert Store when the SSL Enabled flag is ON, and the JRE trust store when the SSL Enabled flag is OFF.