--- title: Gateway security description: The DS HDAP gateway runs as a web application in a container like Apache Tomcat. Security settings depend on the container and on the gateway configuration file. component: pingds version: 8.1 page_id: pingds:security-guide:web-applications canonical_url: https://docs.pingidentity.com/pingds/8.1/security-guide/web-applications.html revdate: 2025-10-22T14:42:39Z keywords: ["LDAP", "REST API", "Security", "Setup & Configuration"] section_ids: find-app-server-doc: Container security settings hdap-gateway-security: HDAP settings --- # Gateway security The DS HDAP gateway runs as a web application in a container like Apache Tomcat. Security settings depend on the container and on the gateway configuration file. ## Container security settings Security settings are covered in the documentation for supported web application containers. The documentation to use depends on the web application container. For example, the Apache Tomcat 9 documentation includes the following: * For instructions on setting up HTTPS, refer to [SSL/TLS Configuration HOW-TO](https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html). * For other security-related settings, refer to [Security Considerations](https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html). ## HDAP settings Make sure the web application container protects traffic to the gateway with HTTPS. Review the following settings in the gateway configuration file, `config.json`: * `security/keyManager` If the LDAP server expects client authentication for TLS, set this to access the gateway's keystore. * `security/trustManager` Set this to a truststore with the appropriate certificate(s) for remote LDAP servers. * `ldapConnectionFactories/bind/connectionSecurity` Use `ssl` or `startTLS`. * `ldapConnectionFactories/bind/sslCertAlias` If the LDAP server expects client authentication for TLS, set this to access the gateway's certificate alias. * `ldapConnectionFactories/primaryLdapServers/port` Use an LDAP port that supports StartTLS or LDAPS. Using StartTLS or LDAPS is particularly important if the gateway ever sends credentials over LDAP. * `authorization/resolver` Check the `endpointUrl` of the resolver to make sure that OAuth 2.0 tokens are sent over HTTPS.