Resolution:Both LDAP server and JRE, used by DomainUtility and Tomcat server (Administrator), need to have SSL enabled.
Please refer TIBCO Administrator Server Guide -- >Chapter 5 :Advanced Topics -- > Enabling an SSL Connection to an LDAP Directory Server.
===========================================
Enabling an SSL Connection to an LDAP Directory Server
SSL (Secure Sockets Layer) is a network protocol that allows authentication and encryption of data. SSL provides a secure connection between a client and a server.
You can use SSL to secure the user and group data transmitted to your TIBCO servers and applications from the LDAP directory server. Doing so ensures privacy, integrity, and authenticity of data from the LDAP directory server.
TIBCO Domain Utility specifies SSL usage for the LDAP integration of an administration domain. Once SSL is specified for a domain’s LDAP integration, the administration servers and applications depend on the security features of the JVM they run on to establish SSL connections with the LDAP server (do not actively participate in establishing the SSL connections).
To configure an administration domain to connect to the LDAP directory server over SSL, do the following:
1. Enable SSL authentication on the LDAP directory server. You may need to contact the IT department in your organization that manages your LDAP servers. This requires installing a valid server certificate and CA trust certificate from a certificate authority on the LDAP directory server.
2. Import the CA trust certificate for your LDAP server certificate into the keystores of all JREs associated with the administration domain on each machine. This includes JREs for all primary and secondary servers, as well as for BusinessWorks processes that perform basic authentication. Note that the TIBCO JRE keystores already contains certificates from well-known certificate authorities such as Verisign, Thawte and Entrust, so you can skip this step if your LDAP server certificate is issued by one of these certificate authorities.
3. When integrating your administration domain with the LDAP directory server using TIBCO Domain Utility (see Changing a Domain’s Integration With an LDAP Directory Serverin TIBCO Runtime Agent Domain Utility User’s Guide), select SSL in the LDAP Authentication drop-down list.
See Configuring LDAP Integration With SSL Connection In TIBCO Runtime Agent Domain Utility User’s Guide for detailed instructions.
===========================================
Also refer TIBCO Runtime Agent DomainUtility Guide -- >Chapter 3 :Server Settings and Migration :Configuring LDAP Integration with SSL connections.
===========================================
Configuring LDAP Integration With SSL Connections
You can use SSL to secure the user and group data transmitted to your TIBCO servers and applications from the LDAP directory server. Doing so ensures privacy, integrity, and authenticity of data from the LDAP directory server.
TIBCO Domain Utility specifies SSL usage for the LDAP integration of an administration domain. Once SSL is specified for a domain’s LDAP integration, the administration servers and applications depend on the security features of the JVM they run on in order to establish SSL connections with the LDAP server (and do not actively participate in establishing the SSL connections).
To configure an administration domain to connect to the LDAP directory server over SSL, you must do the following:
• Task A, Enable SSL on the LDAP Directory Server
• Task B, Configure the JRE Keystores
• Task C, Enable SSL for LDAP in TIBCO Domain Utility
Task A Enable SSL on the LDAP Directory Server
You must first enable SSL authentication on the LDAP directory server with which the administration domain is integrated. You may need to contact your IT department in your organization that manages your LDAP servers. This requires installing a valid server certificate and CA trust certificate from a certificate authority on the LDAP directory server. Go to one of the following links for information on enabling SSL on your LDAP directory server:
For Microsoft Active Directory 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;247078#1
For Microsoft Active Directory 2003:
http://support.microsoft.com/kb/321051
For Sun ONE Directory Server 5.1:
http://docs.sun.com/source/816-5606-10/ssl.htm#996824
For Sun ONE Directory Server 5.2:
http://docs.sun.com/source/816-6698-10/ssl.html#14365
For Novell eDirectory 8.7.3:
http://www.novell.com/documentation/edir873/index.html?treetitl.html
NOTE: Please take help of your LDAP Administrator on enabling SSL on your LDAP directory server.
Task B Configure the JRE Keystores
Next, you must import the CA trust certificate (the signing certificate of your LDAP server certificate) into the keystores of all JREs that are used by software or applications that perform user authentication. This includes JREs for all primary and secondary servers, as well as for BusinessWorks processes that perform basic authentication. The best thing to do is to perform this task on all TIBCO JREs in all server and client machines in your administration domain.
* NOTE: TIBCO JRE keystores already contain certificates from well-known certificate authorities such as Verisign, Thawte and Entrust. You can skip this task if your LDAP server certificate is issued by one of these well-known certificate authorities.
Follow the instructions below to import the CA trust certificate of LDAP server certificate into each applicable JRE keystore:
1. In the command prompt, change to TIBCO_HOME/tibcojre/version/bin.
2. Use the following command to import the CA trust certificate into the default JRE keystore. (You may specify any value for alias_name.)
keytool -import -alias alias_name -keystore
TIBCO_HOME/tibcojre/version/lib/security/cacerts
-trustcacerts -file CA_trust_certificate_file_path
3. When prompted, type changeit for the keystore password (unless you have changed it previously).
Task C Enable SSL for LDAP in TIBCO Domain Utility
Follow the instructions in Changing a Domain’s Integration With an LDAP Directory Server to modify LDAP configuration for your administration domain in TIBCO Domain Utility.
• Specify the LDAP server’s enabled SSL port in the LDAP URL field.
• Select SSL in the LDAP Authentication drop-down list.
===========================================
