Enable LDAP over SSL

To enable LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. over SSL (LDAPS) and ensure a secure connection, import the certificate into the trust store. You must issue the import command on the server on which the Okta Java LDAP AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. is installed.

Important before you begin

  • General — When using the keytool, make sure to always choose the keystore option.
  • Ubuntu / Debian — There is no upgrade path. The dpkg tool performs an uninstall and re-install, which deletes the cacerts file.
  • Centos — There is no upgrade path. Issuing yum localupdate <package name> replaces the jre folder, which deletes the cacerts. If the service had already been set up to use SSL, the service fails to start.
  • Windows — There is no upgrade path. The installer removes and re-adds the files. Also, the installer must be running when you are updating the cert store. Canceling the installer deletes the contents of the C:\Okta\Okta LDAP Agent folder.

To import the certificate into the trust store of the Okta Java LDAP Agent:

  1. Open a terminal and navigate to the jre/bin directory.

    Linux

    /opt/Okta/OktaLDAPAgent/jre/bin

    Windows

    C:\Program Files\Okta\Okta LDAP Agent\jre\bin

  1. Connect to the LDAPS port to confirm that the certificate you have is the one that the server is using:

    openssl s_clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. -connect <IP of your LDAP server>:<your SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. port>

  1. Import the SSL certificate. When you are prompted for the default password, enter changeit.

    ./keytool -importcert -alias example.net.local -file /tmp/example.net.local.cer -keystore ../lib/security/cacerts

  1. List the current contents of the keystore:

    ./keytool -list -keystore ../lib/security/cacerts

  1. Complete the LDAP Agent installation as described in the relevant procedure above (Linux or Windows).
Top