Configuring an SSL Connection to Active Directory
If you want to configure a read/write connection with Microsoft Active Directory, you will need to install an SSL certificate, generated by your Active Directory server, onto your Confluence server and then install the certificate into your JVM keystore.
keystore
.Prerequisites
To generate a certificate, you need the following components installed on the Windows Domain Controller to which you're connecting.
Required Component | Description |
---|---|
Internet Information Services (IIS) | This is required before you can install Windows Certificate Services. |
Windows Certificate Services | This installs a certification authority (CA) which is used to issue certificates. Step 1, below, explains this process. |
Windows 2000 Service Pack 2 | Required if you are using Windows 2000 |
Windows 2000 High Encryption Pack (128-bit) | Required if you are using Windows 2000. Provides the highest available encryption level (128-bit). |
Step 1. Install the Active Directory Certificate Services
If Certificate Services are already installed, skip to step 2, below. The screenshots below are from Server 2008, but the process is similar for Server 2000 and 2003.
- Log in to your Active Directory server as an administrator.
- Click Start, point to Administrative Tools, and then click Server Manager.
- In the Roles Summary section, click Add Roles.
- On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next twice.
- On the Select Role Services page, select the Certification Authority check box, and then click Next.
- On the Specify Setup Type page, click Enterprise, and then click Next.
- On the Specify CA Type page, click Root CA, and then click Next.
- On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, the default values should be fine. Click Next twice.
- In the Common name for this CA box, type the common name of the CA, and then click Next.
- On the Set Validity Period page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.
- After verifying the information on the Confirm Installation Selections page, click Install.
- Review the information on the results screen to verify that the installation was successful.
Step 2. Obtain the Server Certificate
The steps above describe how to install the certification authority (CA) on your Microsoft Active Directory server. Next, you will need to add the Microsoft Active Directory server's SSL certificate to the list of accepted certificates used by the JDK that runs your application server.
The Active Directory certificate is automatically generated and placed in root of the C:\ drive, matching a file format similar to the tree structure of your Active Directory server. For example: c:\ad2008.ad01.atlassian.com_ad01.crt
.
You can also export the certificate by executing this command on the Active Directory server:
certutil -ca.cert client.crt
You might still fail to be authenticated using the certificate file above. In this case, Microsoft's LDAP over SSL (LDAPS) Certificate page might help. Note that you need to:
- Choose "No, do not export the private key" in step-10 of Exporting the LDAPS Certificate and Importing for use with AD DS section
- Choose "DER encoded binary X.509 (.CER)" in step-11 of Exporting the LDAPS Certificate and Importing for use with AD DS section. This file will be used in the following step.
Step 3. Import the Server Certificate
For an application server to trust your directory's certificate, the certificate must be imported into your Java runtime environment. The JDK stores trusted certificates in a file called a keystore. The default keystore file is called cacerts
and it lives in the jre\lib\security
sub-directory of your Java installation.
In the following examples, we use server-certificate.crt
to represent the certificate file exported by your directory server. You will need to alter the instructions below to match the name actually generated.
Once the certificate has been imported as per the below instructions, you will need to restart the application to pick up the changes.
Windows
Navigate to the directory in which Java is installed. It's probably called something like
C:\Program Files\Java\jdk1.5.0_12
.cd /d C:\Program Files\Java\jdk1.5.0_12
Run the command below, where
server-certificate.crt
is the name of the file from your directory server:keytool -importcert -keystore .\jre\lib\security\cacerts -file server-certificate.crt
keytool
will prompt you for a password. The default keystore password ischangeit
.When prompted
Trust this certificate? [no]:
enteryes
to confirm the key import:Enter keystore password: changeit Owner: CN=ad01, C=US Issuer: CN=ad01, C=US Serial number: 15563d6677a4e9e4582d8a84be683f9 Valid from: Tue Aug 21 01:10:46 ACT 2007 until: Tue Aug 21 01:13:59 ACT 2012 Certificate fingerprints: MD5: D6:56:F0:23:16:E3:62:2C:6F:8A:0A:37:30:A1:84:BE SHA1: 73:73:4E:A6:A0:D1:4E:F4:F3:CD:CE:BE:96:80:35:D2:B4:7C:79:C1 Trust this certificate? [no]: yes Certificate was added to keystore
- Restart the application to take up the cacerts changes.
- You may now change 'URL' to use LDAP over SSL (i.e. ldaps://<HOSTNAME>:636/) and use the 'Secure SSL' option when connecting your application to your directory server.
UNIX
Navigate to the directory in which the Java used by JIRA is installed. If the default JAVA installation is used, then it would be
cd $JAVA_HOME
Run the command below, where
server-certificate.crt
is the name of the file from your directory server:sudo keytool -importcert -keystore ./jre/lib/security/cacerts -file server-certificate.crt
keytool
will prompt you for a password. The default keystore password ischangeit
.When prompted
Trust this certificate? [no]:
enteryes
to confirm the key import:Password: Enter keystore password: changeit Owner: CN=ad01, C=US Issuer: CN=ad01, C=US Serial number: 15563d6677a4e9e4582d8a84be683f9 Valid from: Tue Aug 21 01:10:46 ACT 2007 until: Tue Aug 21 01:13:59 ACT 2012 Certificate fingerprints: MD5: D6:56:F0:23:16:E3:62:2C:6F:8A:0A:37:30:A1:84:BE SHA1: 73:73:4E:A6:A0:D1:4E:F4:F3:CD:CE:BE:96:80:35:D2:B4:7C:79:C1 Trust this certificate? [no]: yes Certificate was added to keystore
- Restart the application to take up the cacerts changes.
- You may now change 'URL' to use LDAP over SSL (i.e. ldaps://<HOSTNAME>:636/) and use the 'Secure SSL' option when connecting your application to your directory server.
Mac OS X
Navigate to the directory in which Java is installed. This is usually
cd /Library/Java/Home
Run the command below, where
server-certificate.crt
is the name of the file from your directory server:sudo keytool -importcert -keystore ./jre/lib/security/cacerts -file server-certificate.crt
keytool
will prompt you for a password. The default keystore password ischangeit
.When prompted
Trust this certificate? [no]:
enteryes
to confirm the key import:Password: Enter keystore password: changeit Owner: CN=ad01, C=US Issuer: CN=ad01, C=US Serial number: 15563d6677a4e9e4582d8a84be683f9 Valid from: Tue Aug 21 01:10:46 ACT 2007 until: Tue Aug 21 01:13:59 ACT 2012 Certificate fingerprints: MD5: D6:56:F0:23:16:E3:62:2C:6F:8A:0A:37:30:A1:84:BE SHA1: 73:73:4E:A6:A0:D1:4E:F4:F3:CD:CE:BE:96:80:35:D2:B4:7C:79:C1 Trust this certificate? [no]: yes Certificate was added to keystore
- Restart the application to take up the cacerts changes.
- You may now change 'URL' to use LDAP over SSL (i.e. ldaps://<HOSTNAME>:636/) and use the 'Secure SSL' option when connecting your application to your directory server.