If you have already configured a trust store, you can also use the setup tool to enable security. The following example enables SSL security. It also specifies a JKS Keystore and truststore that define the server certificate and trusted CA. The passwords for the keystore files are defined in the corresponding .pin files, where the password is written on the first line of the file. The values in the .pin files will be copied to the server-root/config directory in the keystore.pin and truststore.pin files.
Note: The password to the private key within the keystore is expected to be the same as the password to the keystore. If this is not the case, the private key password can be defined within the or dsconfig by editing the Key Manager Provider standard configuration object.
  • Run the setup tool to install with a truststore.
    $ env JAVA_HOME=/ds/java ./setup --cli \ 
      --no-prompt --rootUserDN "cn=Directory Manager" \
      --rootUserPassword "password" \
      --ldapPort 389 --ldapsPort 636 \
      --useJavaKeystore /path/to/devkeystore.jks \ 
      --keyStorePasswordFile /path/to/devkeystore.pin \ 
      --certNickName server-cert \ 
      --useJavaTrustStore /path/to/devtruststore.jks \
    In order to update the trust store, the password must be provided
    See 'prepare-external-server --help' for general overview
    Testing connection to ds-east-01.example.com:1636 ..... Done
    Testing 'cn=Proxy User,cn=Root DNs,cn=config' access .....
    Created 'cn=Proxy User,cn=Root DNs,cn=config'
    Testing 'cn=Proxy User,cn=Root DNs,cn=config' access ..... Done
    Testing 'cn=Proxy User,cn=Root DNs,cn=config' privileges ..... Done
    Verifying backend 'dc=example,dc=com' ..... Done