Enable LDAP over SSL

Enable LDAP over SSL (LDAPS) and ensure a secure connection by importing the certificate into the trust store. Issue the import command on the server on which the Okta LDAP Agent is installed.

Perform these steps as part of the Install the Okta LDAP Agent procedure. You can't perform them independently.

Linux

  1. Open a terminal and go to the jre/bin directory.

    cd /opt/Okta/OktaLDAPAgent/jre/bin

  2. Optional. Connect to the LDAPS port to confirm that the certificate you have is the one that the server is using:

    openssl s_client -connect <IP_of_your_LDAP_server>:<your_SSO_port>

  3. Import the SSL certificate. When you're prompted for the default password, enter changeit:

    ./keytool -importcert -alias <alias_name> -file <path/to/certificate_file> -keystore ../lib/security/cacerts for example, ./keytool -importcert -alias example.net.local -file /tmp/example.net.local.cer -keystore ../lib/security/cacerts

  4. List the current contents of the keystore:

    ./keytool -list -keystore ../lib/security/cacerts

Windows

  1. Open a terminal and go to the jre/bin directory.

    cd C:\Program Files\Okta\Okta LDAP Agent\jre\bin

  2. Optional. Connect to the LDAPS port to confirm that the certificate you have is the one that the server is using:

    openssl s_client -connect <IP_of_your_LDAP_server>:<your_SSO_port>

  3. Import the SSL certificate. When you're prompted for the default password, enter changeit:

    ./keytool -importcert -alias <alias_name> -file <path\to\certificate_file> -keystore ../lib/security/cacerts for example, ./keytool -importcert -alias example.net.local -file c:\Users\certsadmin\Desktop\example.net.local.cer -keystore ../lib/security/cacerts

  4. List the current contents of the keystore:

    ./keytool -list -keystore ../lib/security/cacerts