Steps To Configure/Enable SSL LDAP in Weblogic
WebLogic can only connect to the LDAP server using one-way SSL. It cannot provide a client certificate to the LDAP server.
1. The flag in the console “Enable SSL” must be checked as you will be using SSL to connect to the LDAP server.
2. You must store the root CA of your LDAP server into the trusted keystore of WebLogic. (e.g., keytool -import -keystore myWLStrustedkeytore.jks -alias ca -file getcacert.cer -storepass myWLStrustedkeytoreStorePassPhrase -trustcacerts)
3. The hostname you will specify in the WebLogic console for the LDAP configuration needs to match the CN of your LDAP server’s certificate
4. The port specified in the console for the LDAP Authenticator needs to be the one of the SSL port of the LDAP server
How to confirm connection works:
In server logs if you see below message(connection succeeded) then Weblogic is able to connect to LDAP over SSL.
<6 apr. 2010 08 h 29 BST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file D:\wls\app\weblogic10\server\lib\DemoTrust.jks.>
<6 apr. 2010 08 h 29 BST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file D:\wls\app\JDK162~1\jre\lib\security\cacerts.>
<6 apr. 2010 08 h 29 BST> <Debug> <SecurityDebug> <000000> <connection succeeded>
<6 apr. 2010 08 h 29 BST> <Debug> <SecurityDebug> <000000> <getConnection return conn:LDAPConnection {ldaps://newsslLDAP:636 ldapVersion:3 bindDN:"cn=Directory Manager"}>
There is a better way to find out if it works or not i.e you can take a thread dump of running weblogic and search for below thread:
"LDAPConnThread-0 ldaps://newsslLDAP:636" daemon prio=5 tid=0x032a1988 nid=0x10d0 runnable [3c1f000..3c1fd8c] at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at weblogic.utils.io.ChunkedInputStream.read(ChunkedInputStream.java:140) at java.io.InputStream.read(InputStream.java:89) at com.certicom.tls.record.ReadHandler.readFragment(Unknown Source) at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source) at com.certicom.tls.record.ReadHandler.read(Unknown Source) - locked <0x114a83a8> (a com.certicom.tls.record.ReadHandler) at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source) at java.io.BufferedInputStream.fill(BufferedInputStream.java:183) at java.io.BufferedInputStream.read(BufferedInputStream.java:201) - locked <0x114f7c08> (a java.io.BufferedInputStream) at netscape.ldap.ber.stream.BERElement.getElement(BERElement.java:101) at netscape.ldap.LDAPConnThread.run(LDAPConnThread.java:538) at java.lang.Thread.run(Thread.java:534)
If above thread dump does not show up, then there is something wrong with the connection.
In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.