LDAP and SSL
Note: Certificates are issued as either client or server certificates. DocuShare does not support client-side certificates. DocuShare uses a copy of the LDAP server's certificate to establish the SSL session with the LDAP server.
1. How To Import the Certificate to DocuShare
Depending on the Certificate Authority (CA) that issued the certificate (self-signed or issued by a CA such as Entrust, Equifax, Valicert or Verisign), the administrator may need to import the certificate from the LDAP server to the DocuShare server web browser certificate store. If the certificate is self-signed, the administrator must import the certificate to the DocuShare server web browser certificate store.
To import the certificate from a specific LDAP server:
a. Open a web browser at the DocuShare server.
b. Connect to the LDAP server using the address - https://<your.ldap.server> or https://<yourldap.server>:636. Port 636 is the standard port for SSL.
Note: If the certificate has not been installed on the DocuShare server's browser, a Security Alert window appears prompting you to install the certificate.
c. Click View Certificate at the bottom of the Security Alert window. A Certificate window appears.
d. Click the Details tab, then click the Copy to File button. The Certificate Export Wizard appears.
2. Export the Certificate and Save as a CER File
After you have imported the certificate from the LDAP server, you now need to export the certificate to DocuShare directory and save it as a certificate file.
To export the certificate and save it as a certificate file:
a. From the Certificate Export Wizard window, click the Next button.
Note: If the certificate contained a private key, the Export Private Key window appears. In the Export Private Key window, select No, do not export the private key. DocuShare will not need a private key to establish an SSL session with the LDAP server. Click Next.
b. The Export File Format window appears, select Base-64 encoded X.509 (.CER) in the Export File Format window.
b. Click Next. The File to Export prompt window appears.
c. Enter in the File name field, the directory path to a location on your drive where you want to export the certificate. For example D:\.
d. Enter in the File name field, behind the directory path, a file name for the certificate with the extension .cer. For example D:\SSL_Cert4LDAP.cer.
e. Click Next to complete the certificate export. The Completing Certificate Export Wizard window appears.
f. Click Finish to close the Wizard. The LDAP certificate is saved as a .cer file on your DocuShare site.
g. Follow the instructions on how to place the certificate into DSTrustStore.
3. How To Place the Certificate into the DSTrustStore
Now that you have saved the certificate as a certificate file, you must place it in the DSTrustStore file.
To place the certificate .cer file into the DSTrustStore file:
a. Open Windows Explorer
b. Locate the .cer file you exported using the Certificate Export Wizard.
c. Copy the .cer file and paste into the directory containing the DSTrustStore file. For example, <dshome>\jdk1.5.0\jre\lib\security. In DocuShare 7 the path is <dshome>\jdk\jre\lib\security
Where <dshome> is replaced with the installation directory for DocuShare. Depending on your installation environment the path may vary. The default installation path during install is C:\Xerox\Docushare.
d. Open a command prompt window and navigate to the directory containing dstruststore
e. At the command prompt, enter the set PATH command to set the PATH environment variable. Use set PATH=%PATH%;<dshome>\jdk\jre\bin.
Note: In DocuShare 6.6.x and below the command to set the path may be similar to this example: set PATH=%PATH%;<dshome>\jdk1.5.0\jre\bin.
f. After you have set the PATH variable, at the command prompt, enter keytool, without arguments. The Keytool Utility help appears. The Keytool Utility places the SSL certificate in the DSTrustStore.
g. At the command prompt, enter the keytool utility command keytool -import -alias <alias_name> -file <path/cert_file> -keystore dstruststore
Replace <alias_name> with a unique name for the certificate file.
Replace <path/cert_file> with the name of the certificate file (.cer) that you exported and copied to the directory containing the dstruststore file. For example: C:\Xerox\Docushare\jdk1.#.0\jre\lib\security\dstruststore\certificate.cer.
Note: Press Enter to start the command. A request for a password appears. Enter password and press Enter. (You can create a password at this time.)
h. When the Trust this certificate? [no]: prompt is displayed type yes and press Enter.
D:\Xerox\DS652\jdk\jre\lib\security>keytool -import -alias mail -file SSL_Cert4LDAP.cer
Enter keystore password: password
Serial number: 09c012345………
Valid from: Thu Sep 03 16:02:09 ADT 2009 until: Fri Sep 03 16:02:09 ADT 2010
Trust this certificate? [no]: yes
Certificate was added to keystore
i. Examine the screen output to ensure that Keytool successfully added the certificate to the keystore by using the following command. Verify examine the output to verify your certificate is listed.
keytool -list -v -keystore dstruststore
Note: When prompted for a password, just press enter. The DocuShare dstruststore does not have a password.
If Keytool completed the operation, your DocuShare server is now ready to use the certificate to establish and SSL session with your LDAP server.
j. Once you have finished importing the certificate, reboot your DocuShare server.
Note: (Important for future maintenance) The security certificate has expiration date. This in-house certified Security certificate must be updated before it expires. DocuShare does not have automated maintenance process to update the security certificate, so this must be done manually.
Solution Updated: October 17, 2017
Solution ID: 484