Changes between Version 12 and Version 13 of ConnectorsSetup


Ignore:
Timestamp:
05/23/13 16:17:41 (12 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ConnectorsSetup

    v12 v13  
    2727}}} 
    2828 
    29 LDAPS relying on AD certificates from private CA: Certificates used in the UA Domain are issued from a private local CA.  Shibboleth configurations will fail to load if they cannot establish trust.  Trust of the private CA can be established by: 
    30 (1) Import the certificate into the java trusted keystore.  This requires ongoing maintenance as that keystore may be overwritten by any number of upgrade or refresh processes, requiring re-import of the CA certificate. 
    31 (2) Configure the IdP authentication module to trust the AD certificate by adding to the configuration in $IDP_HOME/login.config a line like 
    3229 
    33 {{{ 
    34 sslSocketFactory="{trustCertificates=file:/path/to/my/trust.crt}" 
    35 }}} 
    3630=== Shibboleth connector principal names and URLs for DSEE LDAP directories: === 
    3731 
     
    4236}}} 
    4337 
     38=== Establishing trust of self-signed or private-CA certificates for SSL/StartTLS === 
     39Certificates used in the UA Domain are issued from a private local CA.  Shibboleth configurations will fail to load if they cannot establish trust when required by specifying connections use SSL or StartTLS.  Trust of the private CA can be established by: 
    4440 
     41(1) Import the private CA root certificate or the AD service certificate(s) itself into the java trusted keystore.  This requires ongoing maintenance as that keystore may be overwritten by any number of upgrade or refresh processes, requiring re-import of the CA certificate. 
     42 
     43(2) Configure the IdP to directly trust these certificates.   
     44 
     45 (2.1) Configure the authentication module to trust the AD certificate by adding to the configuration in ''$IDP_HOME''/login.config a line like 
     46 
     47  {{{ 
     48  sslSocketFactory="{trustCertificates=file:/path/to/my/trust.crt}" 
     49  }}} 
     50 (2.2) Configure the Data Connectors in attribute-resolver.xml to use StartTLSTrustCredential.  https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverLDAPDataConnector 
    4551 
    4652=== [[IdPSetup|Failover connectors]] ===