and server. For an SSL connection to be established successfully, the following conditions must be satisfied:

The LDAP server must be configured by its administrator to accept SSL connections. The default port for LDAP over SSL is port 636. Many servers are not configured by default to accept SSL connections, so check with the server administrator if there is any doubt.

The authentication certificate presented to the LDAP Browser by the server must be signed by a trusted certificate authority.

The LDAP Browser will automatically recognize and trust server certificates that are signed by any one of a group of well-known certificate authorities. However, if an LDAP server presents a certificate that is not signed by one of these well-known certificate authorities, the connection attempt will fail. This is typically the case when attempting to connect to LDAP servers that have been configured with self-signed certificates or certificates issued by a certificate authority internal to a company or organization. In cases such as this, the server's certificate must be manually added to a certificate store file that the LDAP Browser will use as a source of trusted certificates.

To add an LDAP server certificate to a trusted certificate store file, perform the following steps:

1.Obtain the LDAP server's digital certificate from the server's administrator.

Some administrators provide access to this certificate by posting a link to it on an associated Web site or by storing it in a publicly accessible entry in the LDAP directory. Either the binary form of the certificate or the printable Base64-encoded form defined by the Internet RFC 1421 standard is acceptable.

2.Import the certificate into a trusted certificate store file called .keystore in the user's home directory.

To accomplish this, use the keytool utility that ships as part of the Java installation. For example:

#keytool -import -alias someserver -file \ someserver.cer -keystore ~/.keystore storepass mypassword

Where someserver is an alias that will be used to refer to this certificate, someserver.cer is a file containing the certificate, and mypassword is a password used to access the keystore.

3.Restart the LDAP Browser to load the new keystore.

4.Connect to the LDAP server.

If the previous steps have been performed and the connection still cannot be made, verify that the host name, port, base distinguished name, and bind authentication information are all configured correctly. If the problem still remains, the LDAP Browser can be run from the command line with a special qualifier that turns on SSL debugging; this can sometimes reveal the problem. To use the qualifier, run the LDAP Browser from the directory where the ldapbrowser.jar file resides. For example:

# java -jar ldapbrowser.jar -Djavax.net.debug=all

Disconnecting from an LDAP Server

To terminate the currently established LDAP connection, choose Disconnect from the File menu.

Reconnecting to an LDAP Server

To disconnect and then reconnect from an established connection, or to reestablish a connection that was terminated, choose Reconnect from the File menu.

Using the Main Browsing Window

Once a connection is established, the main browsing window allows you to view and manage the information in the directory. The directory is graphically represented in tree form, with each

Using the LDAP Browser 199

Page 199
Image 199
HP UX Internet Express Software manual Using the Main Browsing Window, Disconnecting from an Ldap Server