Enable LDAP over SSL

To enable LDAP over SSL (LDAPS) and ensure a secure connection, import the certificate into the trust store. You must issue the import command on the server on which the Okta LDAP Agent is installed. These are the known limitations for different environments:

  • Ubuntu / Debian: There's no upgrade path. The dpkg tool performs an uninstall and reinstall, which deletes the cacerts file.
  • Centos: There's no upgrade path. Issuing yum localupdate <package name> replaces the jre folder, which deletes the cacerts. If the service is already set up to use SSL, the service fails to start.
  • Windows: There's no upgrade path. The installer removes and readds the files. Also, the installer must be running when you're updating the cert store. Canceling the installer deletes the contents of the C:\Okta\Okta LDAP Agent folder.

Linux

When using the keytool, make sure to always choose the keystore option.

  1. Open a terminal and go to the jre/bin directory.

    /opt/Okta/OktaLDAPAgent/jre/bin

  2. Optional. Connect to the LDAPS port to confirm that the certificate you have is the one that the server is using:

    openssl s_client -connect <IP of your LDAP server>:<your SSO port>

  3. Import the SSL certificate. When you're prompted for the default password, enter changeit:

    ./keytool -importcert -alias example.net.local -file /tmp/example.net.local.cer -keystore ../lib/security/cacerts

  4. List the current contents of the keystore:

    ./keytool -list -keystore ../lib/security/cacerts

Windows

When using the keytool, make sure to always choose the keystore option.

  1. Open a terminal and go to the jre/bin directory.

    C:\Program Files\Okta\Okta LDAP Agent\jre\bin

  2. Optional. Connect to the LDAPS port to confirm that the certificate you have is the one that the server is using:

    openssl s_client -connect <IP of your LDAP server>:<your SSO port>

  3. Import the SSL certificate. When you're prompted for the default password, enter changeit:

    ./keytool -importcert -alias example.net.local -file /tmp/example.net.local.cer -keystore ../lib/security/cacerts

  4. List the current contents of the keystore:

    ./keytool -list -keystore ../lib/security/cacerts