Directory Services 7.4.3

Gateway security

The DS DSML and HDAP gateways run as web applications in containers like Apache Tomcat. Security settings depend on the container and on the gateway configuration files.

Container security settings

Security settings are covered in the documentation for supported web application containers. The documentation to use depends on the web application container.

For example, the Apache Tomcat 9 documentation includes the following:

DSML settings

Make sure the web application container protects traffic to the gateway with HTTPS.

Review the following settings DSML gateway settings:

ldap.port

Use an LDAP port that supports StartTLS or LDAPS.

Using StartTLS or LDAPS is particularly important if the gateway ever sends credentials over LDAP.

ldap.usessl

If ldap.usestarttls is not used, set this to true.

ldap.usestarttls

If ldap.usessl is not used, set this to true.

ldap.trustall

Make sure this is set to false.

ldap.truststore.path

Set this to a truststore with the appropriate certificate(s) for remote LDAP servers.

ldap.truststore.password

If ldap.truststore.path is set, and the truststore requires a password, set this appropriately.

HDAP settings

Make sure the web application container protects traffic to the gateway with HTTPS.

Review the following settings in the gateway configuration file, config.json:

security/keyManager

If the LDAP server expects client authentication for TLS, set this to access the gateway’s keystore.

security/trustManager

Set this to a truststore with the appropriate certificate(s) for remote LDAP servers.

ldapConnectionFactories/bind/connectionSecurity

Use ssl or startTLS.

ldapConnectionFactories/bind/sslCertAlias

If the LDAP server expects client authentication for TLS, set this to access the gateway’s certificate alias.

ldapConnectionFactories/primaryLdapServers/port

Use an LDAP port that supports StartTLS or LDAPS.

Using StartTLS or LDAPS is particularly important if the gateway ever sends credentials over LDAP.

authorization/resolver

Check the endpointUrl of the resolver to make sure that OAuth 2.0 tokens are sent over HTTPS.