Gateway security
The DS HDAP gateway runs as a web application in a container like Apache Tomcat. Security settings depend on the container and on the gateway configuration file.
Container security settings
Security settings are covered in the documentation for supported web application containers. The documentation to use depends on the web application container.
For example, the Apache Tomcat 9 documentation includes the following:
-
For instructions on setting up HTTPS, refer to SSL/TLS Configuration HOW-TO.
-
For other security-related settings, refer to Security Considerations.
HDAP settings
Make sure the web application container protects traffic to the gateway with HTTPS.
Review the following settings in the gateway configuration file, config.json:
security/keyManager-
If the LDAP server expects client authentication for TLS, set this to access the gateway’s keystore.
security/trustManager-
Set this to a truststore with the appropriate certificate(s) for remote LDAP servers.
ldapConnectionFactories/bind/connectionSecurity-
Use
sslorstartTLS. ldapConnectionFactories/bind/sslCertAlias-
If the LDAP server expects client authentication for TLS, set this to access the gateway’s certificate alias.
ldapConnectionFactories/primaryLdapServers/port-
Use an LDAP port that supports StartTLS or LDAPS.
Using StartTLS or LDAPS is particularly important if the gateway ever sends credentials over LDAP.
authorization/resolver-
Check the
endpointUrlof the resolver to make sure that OAuth 2.0 tokens are sent over HTTPS.