Uploaded image for project: 'Alfresco One Platform'
  1. Alfresco One Platform
  2. ACE-2268

make ldaps (LDAP over SSL) configurable using ldap subsystem properties and not only JVM (system) properties (JAVA_OPTS)

    Details

      Description

      Currently when a customer wants to use ldaps for authentication and user synchronization, he needs to use system-wide JVM parameters, like

      javax.net.ssl.keyStore                   
      javax.net.ssl.keyStorePassword           
      javax.net.ssl.keyStoreType  
                
      javax.net.ssl.trustStore
      javax.net.ssl.trustStorePassword	
      javax.net.ssl.trustStoreType
      

      when using self-signed certifcates, the CA will not be known by the JVM by default and the customer will have to either append the internal CA to the JVM defaults cacerts files or use the JAVA_OPTS.
      Appending a CA to an existing stoire file (cacert) is not easy, not well documented and error prone.
      Overriding JAVA_OPTS is easier but could have side effects, espcially if more than one CA is used: like a (well known) CA to serve HTTPS and a private CA to do LDAPS: you end up haviong to maintain astore with several CA.

      Customer asks we do the same work we did for FTPS in MNT-7598:
      i.e we introduce configuration parameters that allow using configuration properties to set the LDAPS connection using non JVM-wide settings.

      Note:
      ====
      1) we already have parameters for

      a) FTPS:

      ftp.trustStore                               
      ftp.trustStorePassphrase                     
      ftp.trustStoreType=JKS
      
      ftp.keyStore                                 
      ftp.keyStorePassphrase                       
      ftp.keyStoreType=JKS
      
      
      ftp.requireSecureSession=true
      ftp.sslEngineDebug=false
      

      b) encryption:

      encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-passwords.properties
      encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore
      encryption.ssl.keystore.provider                                   
      encryption.ssl.keystore.type=JCEKS
      encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties
      encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore
      

      so this request is just following the same logics that seems to have been initaited.

      2) see documentation for:

      java.security.KeyStore;
      javax.net.ssl.TrustManager;
      javax.net.ssl.TrustManagerFactory;
      

      3) please consider also SMTP/TLS and IMAPS (although lower priority as not requested by the customer)

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedissues Closed Issues
                  Reporter:
                  amadon Alex Madon [X] (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  12 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - 4 days Original Estimate - 4 days
                    4d
                    Remaining:
                    Time Spent - 1 day, 6 hours, 30 minutes Remaining Estimate - 2 days, 3 hours, 30 minutes
                    2d 3h 30m
                    Logged:
                    Time Spent - 1 day, 6 hours, 30 minutes Remaining Estimate - 2 days, 3 hours, 30 minutes
                    1d 6h 30m

                      Structure Helper Panel