Enable LDAP over SSL

To enable LDAP over SSL (LDAPS) and ensure a secure connection, import the certificate into the trust store. You must issue the import command on the server on which the Okta LDAP agent is installed. These are the known limitations for different environments:

  • Ubuntu / Debian — There is no upgrade path. The dpkg tool performs an uninstall and re-install, which deletes the cacerts file.
  • Centos — There is no upgrade path. Issuing yum localupdate <package name> replaces the jre folder, which deletes the cacerts. If the service had already been set up to use SSL, the service fails to start.
  • Windows — There is no upgrade path. The installer removes and re-adds the files. Also, the installer must be running when you are updating the cert store. Canceling the installer deletes the contents of the C:\Okta\Okta LDAP Agent folder.

When using the keytool, make sure to always choose the keystore option.

  1. Open a terminal and navigate to the jre/bin directory.

    Linux

    /opt/Okta/OktaLDAPAgent/jre/bin

    Windows

    C:\Program Files\Okta\Okta LDAP Agent\jre\bin

  1. Connect to the LDAPS port to confirm that the certificate you have is the one that the server is using:

    openssl s_client -connect <IP of your LDAP server>:<your SSO port>

  1. Import the SSL certificate. When you are prompted for the default password, enter changeit.

    ./keytool -importcert -alias example.net.local -file /tmp/example.net.local.cer -keystore ../lib/security/cacerts

  1. List the current contents of the keystore:

    ./keytool -list -keystore ../lib/security/cacerts

  1. Complete the Okta LDAP agent installation. See Install and configure the Okta LDAP Agent.