action.skip

Customize LDAP TLS certificates and ciphers

The VHI LDAP server is used to store credentials and settings for the Management Server. To facilitate automatic setup, the LDAP server is provided with a self-signed TLS certificate and uses preset ciphers.

A production system will most likely require a custom certificate and may also require custom ciphers. Follow the instructions below to install a custom certificate and configure custom ciphers for LDAP over TLS.

Install a custom certificate

  1. Construct a keystore in PKCS12 format that contains the new certificate and private key. The key type must be RSA.

  2. Edit path-to\RocketSoftware\Verastream\ManagementServer\conf\container.properties set ldap.port.enabled=true, and restart the Management Server service.

  3. From a command prompt, run java -cp jar-file com.attachmate.vhi.vms.UpdateLdapCert keystorefile keystorepassword adminpassword. This command will update the LDAP server certificate.

    Replace keystorefile, keystorepassword and adminpassword with their respective actual values.

  4. Revert the changes to path-to\RocketSoftware\Verastream\ManagementServer\conf\container.properties or set ldap.port.enabled=false, and restart the Management Server service.

Note

Replace -cp jar-file in the Java command with -cp "path-to\RocketSoftware\Verastream\ManagementServer\services\vhi\lib\*" where path-to is the actual path to where VHI is installed. In a default installation, use -cp "C:\Program Files\RocketSoftware\Verastream\ManagementServer\services\vhi\lib\*". The quotation marks are needed. On a Linux system, use -cp /opt/rocketsoftware/verastream/managementserver/services/vhi/lib/*

Note

On Linux, the default VHI install path is /opt/rocketsoftware/verastream/..., all lowercase.

Configure custom ciphers

  1. Edit the file: path-to\RocketSoftware\Verastream\ManagementServer\conf\container.conf

    set wrapper.java.additional.x=-Djdk.tls.server.cipherSuites=comma-delimited-cipher-names where x is the next additional setting in the file sequence, and comma-delimited-cipher-names is the list of ciphers to be used.

  2. Restart the Management Server service.

Note

Changing the cipher list will affect all endpoints running on this JVM: the Management Server endpoints, including LDAP.