Ling-yuan Tai wrote:Tim,
Thank you for the explanation. I recalled an online post mentions that a certificate needs to be installed on Tomcat server for the ldaps connection, is that right? I'm not sure if we have the certificate installed on Tomcat server.
To the best of my knowledge, the only certs that need to be installed are the certs that might have been generated when the server OS was installed. And I might be thinking of the host's own certs for its SSL clients.
I think maybe someone's thinking of a client-side certificate, but that would not be the standard option. A client-side cert is what you use when you don't want to use userid and password to authenticate, but instead want the server to challenge for a cert over an encrypted channel, and therefore, probably would need the LDAP server to have been specially configured. At least that's how client-side certs work with webapp servers like Tomcat and Apache - they won't use a client-side cert unless you set them up to use client-side certs.
Client-side certs for desktop machines are, in my opinion, not a good idea - steal the machine and you've stolen the keys as well. For in-house DMZ servers, there's not much probability that someone will steal a machine, so they work better in that environment. But again, only when the other machine is willing to use that authentication channel.