Gateway security
The DS DSML and DS REST to LDAP gateways run as web applications in containers like Apache Tomcat. Security settings depend on the container, and the gateway configuration files.
Container security settings
Security settings are covered in the documentation for supported web application containers. The documentation to use depends on the web application container.
For example, the Apache Tomcat 9 documentation includes the following:
-
For instructions on setting up HTTPS, see SSL/TLS Configuration HOW-TO.
-
For other security-related settings, see Security Considerations.
DSML settings
Make sure the web application container protects traffic to the gateway with HTTPS.
Review the following settings DSML gateway settings:
ldap.port
-
Use an LDAP port that supports StartTLS or LDAPS.
Using StartTLS or LDAPS is particularly important if the gateway ever sends credentials over LDAP.
ldap.usessl
-
If
ldap.usestarttls
is not used, set this totrue
. ldap.usestarttls
-
If
ldap.usessl
is not used, set this totrue
. ldap.trustall
-
Make sure this is set to
false
. ldap.truststore.path
-
Set this to a truststore with the appropriate certificate(s) for remote LDAP servers.
ldap.truststore.password
-
If
ldap.truststore.path
is set, and the truststore requires a password, set this appropriately.
REST to LDAP settings
Make sure the web application container protects traffic to the gateway with HTTPS.
Review the following settings in the gateway configuration file, config.json
:
security/keyManager
-
If the LDAP server expects client authentication for TLS, set this to access the gateway’s keystore.
security/trustManager
-
Set this to a truststore with the appropriate certificate(s) for remote LDAP servers.
ldapConnectionFactories/bind/connectionSecurity
-
Use
ssl
orstartTLS
. ldapConnectionFactories/bind/sslCertAlias
-
If the LDAP server expects client authentication for TLS, set this to access the gateway’s certificate alias.
ldapConnectionFactories/primaryLdapServers/port
-
Use an LDAP port that supports StartTLS or LDAPS.
Using StartTLS or LDAPS is particularly important if the gateway ever sends credentials over LDAP.
authorization/resolver
-
Check the
endpointUrl
of the resolver to make sure that OAuth 2.0 tokens are sent over HTTPS.
For details on settings, see REST to LDAP reference.