Configuring StartTLS with an external LDAP server

StartTLS is an extension that uses TLS/SSL to secure an insecure LDAP connection. StartTLS retains the current connection on the same port (389) while it encrypts the data. The security provision can be turned on and off according to the requirements.

For more information on StartTLS, see Lightweight Directory Access Protocol.

To use this feature, apply the 3962 WUM update for WSO2 IS 5.7.0 using the WSO2 Update Manager (WUM).

To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

Before you begin

Make sure you have an LDAP server such as OpenLDAP or Active Directory that is up and running.

Configuring WSO2 Identity Server

Execute the following command in a command prompt to import the LDAP server’s public certificate to the WSO2 client keystore.
keytool -importcert -file <certificate file> -keystore <IS_HOME>/repository/resources/security/client-truststore.jks -alias <your alias>
If you are configuring a primary userstore, add the following property to the corresponding user store configuration in the user-mgt.xml file located in <IS_HOME>/repository/conf. If you are configuring a secondary userstore, add this to the corresponding user store configuration in the XML file.
<Property name="StartTLSEnabled">true</Property>
Run WSO2 Identity Server.

Verifying the functionality of StartTLS

To enable the debug log, uncomment the following property in the log4j.properties file in the <IS_HOME>/repository/conf/ folder.
log4j.logger.org.wso2.carbon.user.core=DEBUG
You can also use network-sniffing tools (like wireshark) to analyze the encrypted packets.