After you have configured the key and trust manager providers, you can update the connection handlers to use them.
For the LDAP connection handler, which accepts non-secure connections by default, you can enable StartTLS with a configuration change as in the following example.
dsconfig set-connection-handler-prop \
--handler-name "LDAP Connection Handler" \
--set allow-start-tls:true \
--set key-manager-provider:JKS \
--set trust-manager-provider:JKS \
--set ssl-cert-nickname:server-cert \
--set ssl-client-auth-policy:optional
If you want to require that clients use StartTLS when connected to the LDAP connection handler, use the reject-insecure-requests global configuration property.
dsconfig set-global-configuration-prop \
--set reject-insecure-requests:true
If you did not configure secure communication during setup, then the LDAPS connection
handler is disabled. Configuring LDAPS support requires enabling that connection handler
and configuring most of the same settings. except allow-start-tls
must
be false and use-ssl
must be true.
dsconfig set-connection-handler-prop \
--handler-name "LDAPS Connection Handler" \
--set enabled:true \
--set key-manager-provider:JKS \
--set trust-manager-provider:JKS \
--set ssl-cert-nickname:server-cert \
--set ssl-client-auth-policy:optional
Use a similar configuration change to enable the HTTPS connection handler.
dsconfig set-connection-handler-prop \
--handler-name "HTTPS Connection Handler" \
--set enabled:true \
--set listen-port:443 \
--set key-manager-provider:JKS \
--set trust-manager-provider:JKS \
--set ssl-cert-nickname:server-cert