LDAPviewer

Manage User's Trusted Keystore

LDAPviewer provides a number of TLS Features. These features may be selected and configured using the TLS option of the Connection Profile when either the LDAPS protocol or an authentication method using TLS is selected.

When the LDAP server sends its X.509 certificate to LDAPviewer the normal (default) method of certificate validation uses the Java Trusted Keystore (available with JSEE). The certificates available in this Keystore may be viewed using View All Certificates item on the Certifcates menu.

One of the TLS options available with LDAPviewer is to validate against a user defined Keystore (User's Trusted Keystore) which is invoked using the TLS KS radio button of the Connection Profile. This page decribes configuration and use of the User's Trusted Keystore which is simply a repository for certificates (intermediate and CA) which are used to validate an incoming LDAP server certificate. A User's Trusted Keystore is shared by all instances of LDAPviewer.

When the User's Trusted Keystore Manager Window is opened and no keystore has been configured the only button enabled is Create Keystore (apart from those used to close the window and obtain help) as shown:

User's Trusted Keystore - create keystore

Clicking The Create Keystore button will prompt the user for a suitable location (which must have read and write access for the standard Java VM) for the User's Trusted Keystore. The keystore will be created with a fixed name of cacerts.

User's Trusted Keystore - choose keystore location

If the keystore already exists at the selected location (see Delete Keystore Button for possible reasons) the user will be prompted to overwrite it as shown:

User's Trusted Keystore - overwrite existing keystore

Note: The User's Trusted Keystore created at cacerts uses the standard Java Keystore (JKS) format and has a default password value of changeit. However, when used as a User's Trusted Keystore it will only be populated with X.509 certificates (intermediate and CA) which contain no sensitive information (only non-confidential public keys). The User's Trusted Keystore, therefore, does not require enhanced (non-default) password protection though the password can be changed if desired.

Once the empty keystore has been created all other buttons will be enabled as shown:

User's Trusted Keystore - empty keystore

The function of all buttons is decribed below.

When a populated User's Trusted Keystore is loaded it will display a Window containing all the current certificates similar to that shown:

User's Trusted Keystore - populated keystore

If the password has been changed from the default the user will prompted for the password whenever the Manage User's Trusted Keystore Window is opened as shown:

User's Trusted Keystore - enter keystore password

The certificates in the Keystore have a 4 column summary display as shown:

User's Trusted Keystore - certificate table headings

The columns are headed Issuer (defines the organization which issued the certificate), Expiry (the date the certificate expires and can no longer be used to validate incoming certificates), CA (Yes indicates the certificate is issued by a Certificate Authority, No typicallly indicates it is an intermediate certificate) and Alias is a key used to uniquely identify the certificate). Any certificate can be inspected in detail using View Certificate.

The Delete Keystore button may be clicked at any time. Connection Profiles which have been configured with the TLS KS radio button will no longer have access to the User's Trusted Keystore. If the user attempts to connect using such a profile the following prompt will occur:

User Keystore not available

All Buttons

View Certificate Button

The currently selected certificate's details are displayed. If no certificate is selected the click is silently ignored.

Import Certificate Button

Clicking this button allows the user to select a certificate to be imported into the User's Trusted Keystore as shown:

User's Trusted Keystore - import certificate

Certificates may be in .der, .pem, .crt, .cer, .pfx, or .p12 formats. A prompt may occur if the certificate is password protected. (In the example case the explanatory text indicates that a PKCS#12 bag structure from a .p12 file containing an X.509 certificate is secured with a non-empty password, but many other messages are possible depending on the file type.):

User's Trusted Keystore - File structure password

If a single certificate exists in the selected file the following window is displayed:

User's Trusted Keystore - accept import certificate

The certificate may be inspected as described here and the user may select Accept Cert (the certificate is copied into the Keystore) or Reject Cert (the certificate is not copied into the Keystore).

If two or more certificates are present in the selected file the user is prompted to select the appropriate certificate as shown:

User's Trusted Keystore - Certificate Chooser

Selecting the required certificate followed by OK (or double clicking it) will display it and allow the user to accept or reject the chosen certificate. Cancel will terminate the Import Certificate command.

Certificates are identified within the Keystore using an alias (a unique text string). If the user attempts to import a certificate with the same alias as an existing certificate (LDAPviewer creates a default alias using the cn value of the certificates subject attribute) the following prompt will appear:

Client Keystore - alias exists

Clicking OK will overwrite the existing certificate entry. Clicking Cancel will terminate the import operation and clicking Change will prompt the user to change alias value:

Client Keystore - change alias

Delete Certificate Button

A user prompt identifying the selected certificate's alias is shown:

User's Trusted Keystore - delete certificate

Yes will delete the certificate, No will leave the certificate in the User's Trusted Keystore.

Change Password Button

The User's Trusted Keystore can only contain certificates which have non-confidential public keys. This keystore does not contain private keys, password protection is therefore not essential. However, if required, the password used to secure the Keystore may be changed at any time. The following window is displayed:

User's Trusted Keystore - change password

Recall that the default password used when the User's Trusted Keystore is initially created is changeit.

Note: A typical Java Keystore (but not the User's Trusted Keystore) can contain private keys and therefore requires careful password control.

Delete Keystore Button

This will remove the User's Trusted Keystore from the configuration. The user is prompted to confirm deletion of the keystore as shown:

User's Trusted Keystore - delete keystore

Selecting Yes will delete the keystore file and remove the User's Trusted Keystore from all instances of LDAPviewer. Selecting No will not delete the keystore file but will remove the User's Trusted Keystore from all instances of LDAPviewer. (The keystore file can be manipulated using the standard Java keytool utility.)

Note: If the User's Trusted Keystore has been deleted and the user selects any Connection Profile which uses this feature TLS KS radio button) the following prompt is output:

User's Trusted Keystore - Connection Profile requires deleted keystore keystore

Create Keystore Button

Peviously decribed.

OK Button

Writes all changes to the User's Trusted Keystore and closes the window.

Cancel Button

If the user has made changes the following prompt is displayed:

User's Trusted Keystore - save or discard changes

Selecting Update Keystore will write all changes to the User's Trusted Keystore, Discard Changes will not write any changes and leave the User's Trusted Keystore in the same state as when this window was opened. In both cases the window is closed.

Help Button

Displays this page.

© LV Project 2016. Creative Commons Attribution 4.0 International License.