StartTLS (Transport Layer Security) negotiations start on the unsecure LDAP port, and then protect communication with the client. You can opt to configure StartTLS during installation, or later using the dsconfig command.
Procedure 4.4. To Enable StartTLS on the LDAP Port
-
Make sure you have a server certificate installed.
$ keytool -list -alias server-cert -keystore /path/to/opendj/config/keystore -storepass `cat /path/to/opendj/config/keystore.pin` server-cert, Jun 17, 2013, PrivateKeyEntry, Certificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F -
Activate StartTLS on the current LDAP port.
$ dsconfig set-connection-handler-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAP Connection Handler" --set allow-start-tls:true --set key-manager-provider:JKS --set trust-manager-provider:JKS --trustAll --no-prompt
The change takes effect. No need to restart the server.
