LDAPviewer provides a number of TLS Features. These features may be selected and configured using the TLS option of the Connection Profile when either the LDAPS protocol or an authentication method using TLS is selected.
When the LDAP server sends its X.509 certificate to LDAPviewer the normal (default) method of certificate validation uses the Java Trusted Keystore (available with JSEE). The certificates available in this Keystore may be viewed using View All Certificates item on the Certifcates menu.
One of the TLS options available with LDAPviewer is to validate against a user defined Keystore (User's Trusted Keystore) which is invoked using the TLS KS radio button of the Connection Profile. This page decribes configuration and use of the User's Trusted Keystore which is simply a repository for certificates (intermediate and CA) which are used to validate an incoming LDAP server certificate. A User's Trusted Keystore is shared by all instances of LDAPviewer.
When the User's Trusted Keystore Manager Window is opened and no keystore has been configured the only button enabled is Create Keystore (apart from those used to close the window and obtain help) as shown:
Clicking The Create Keystore button will prompt the user for a suitable location (which must have read and write access for the standard Java VM) for the User's Trusted Keystore. The keystore will be created with a fixed name of cacerts.
If the keystore already exists at the selected location (see Delete Keystore Button for possible reasons) the user will be prompted to overwrite it as shown:
Note: The User's Trusted Keystore created at cacerts uses the standard Java Keystore (JKS) format and has a default password value of changeit. However, when used as a User's Trusted Keystore it will only be populated with X.509 certificates (intermediate and CA) which contain no sensitive information (only non-confidential public keys). The User's Trusted Keystore, therefore, does not require enhanced (non-default) password protection though the password can be changed if desired.
Once the empty keystore has been created all other buttons will be enabled as shown:
The function of all buttons is decribed below.
When a populated User's Trusted Keystore is loaded it will display a Window containing all the current certificates similar to that shown:
If the password has been changed from the default the user will prompted for the password whenever the Manage User's Trusted Keystore Window is opened as shown:
The certificates in the Keystore have a 4 column summary display as shown:
The columns are headed Issuer (defines the organization which issued the certificate), Expiry (the date the certificate expires and can no longer be used to validate incoming certificates), CA (Yes indicates the certificate is issued by a Certificate Authority, No typicallly indicates it is an intermediate certificate) and Alias is a key used to uniquely identify the certificate). Any certificate can be inspected in detail using View Certificate.
The Delete Keystore button may be clicked at any time. Connection Profiles which have been configured with the TLS KS radio button will no longer have access to the User's Trusted Keystore. If the user attempts to connect using such a profile the following prompt will occur:
The currently selected certificate's details are displayed. If no certificate is selected the click is silently ignored.
Clicking this button allows the user to select a certificate to be imported into the User's Trusted Keystore as shown:
Certificates may be in .der, .pem, .crt, .cer, .pfx, or .p12 formats. A prompt may occur if the certificate is password protected. (In the example case the explanatory text indicates that a PKCS#12 bag structure from a .p12 file containing an X.509 certificate is secured with a non-empty password, but many other messages are possible depending on the file type.):
If a single certificate exists in the selected file the following window is displayed:
The certificate may be inspected as described here and the user may select Accept Cert (the certificate is copied into the Keystore) or Reject Cert (the certificate is not copied into the Keystore).
If two or more certificates are present in the selected file the user is prompted to select the appropriate certificate as shown:
Selecting the required certificate followed by OK (or double clicking it) will display it and allow the user to accept or reject the chosen certificate. Cancel will terminate the Import Certificate command.
Certificates are identified within the Keystore using an alias (a unique text string). If the user attempts to import a certificate with the same alias as an existing certificate (LDAPviewer creates a default alias using the cn value of the certificates subject attribute) the following prompt will appear:
Clicking OK will overwrite the existing certificate entry. Clicking Cancel will terminate the import operation and clicking Change will prompt the user to change alias value:
A user prompt identifying the selected certificate's alias is shown:
Yes will delete the certificate, No will leave the certificate in the User's Trusted Keystore.
The User's Trusted Keystore can only contain certificates which have non-confidential public keys. This keystore does not contain private keys, password protection is therefore not essential. However, if required, the password used to secure the Keystore may be changed at any time. The following window is displayed:
Recall that the default password used when the User's Trusted Keystore is initially created is changeit.
Note: A typical Java Keystore (but not the User's Trusted Keystore) can contain private keys and therefore requires careful password control.
This will remove the User's Trusted Keystore from the configuration. The user is prompted to confirm deletion of the keystore as shown:
Selecting Yes will delete the keystore file and remove the User's Trusted Keystore from all instances of LDAPviewer. Selecting No will not delete the keystore file but will remove the User's Trusted Keystore from all instances of LDAPviewer. (The keystore file can be manipulated using the standard Java keytool utility.)
Note: If the User's Trusted Keystore has been deleted and the user selects any Connection Profile which uses this feature TLS KS radio button) the following prompt is output:
Writes all changes to the User's Trusted Keystore and closes the window.
If the user has made changes the following prompt is displayed:
Selecting Update Keystore will write all changes to the User's Trusted Keystore, Discard Changes will not write any changes and leave the User's Trusted Keystore in the same state as when this window was opened. In both cases the window is closed.
Displays this page.
© LV Project 2016. Creative Commons Attribution 4.0 International License.