Issue

Contribute Publishing Services (CPS) may be configured to retrieve usernames, passwords and email addresses from Lightweight Directory Access Protocol (LDAP) servers. This should dramatically simplify deployment of Contribute for a large number of users.

However, the default configuration of Contribute Publishing Services does not encrypt communications to the LDAP server. This TechNote describes one method of configuring CPS to use LDAPS that encrypts the information to and from the LDAP server. This method is for CPS installs on JRun 4 with additional information for CPS WAR installations on other J2EE servers.

Solution

The solution involves using the Java keytool command to import the LDAP server's certificate into the CPS trustStore. If the server certificate is in PEM (Privacy Enhanced Mail) format, the certificate needs to be converted into DER-encoded (Distinguished Encoding Rules) or Base64-encoded format. To perform this conversion, see step 2 under Additional Information.

For the following steps:

• cps_install_path refers to the directory specified in the CPS installation: e.g. C:\Program Files\Macromedia\Contribute Publishing Services
• jrun_root refers to the root directory for the JRun 4 server
  • For simple CPS installations jrun_root refers to cps_install_path/jrun4;
  • For manual CPS WAR installations on existing JRun4 servers, jrun_root refers to [drive]:\JRun4
• cps_server_instance refers to the JRun4 server instance name running CPS
  • For simple CPS installations this is typically named contribute-wps
  • For manual installs this is the name of the server to which you deployed the CPS

1. Copy (export) the LDAP servers certificate file to the CPS server.
2. Locate the trustStore used for the CPS server instance. All JRun server instances use jrun_root\lib\trustStore by default. If you want to use a different trustStore you will need to configure the SSLService for the JRun built-in Web Server for the CPS server instance:
   1. Open the jrun_root/servers/cps_server_instance/SERVER-INF/jrun.xml file.
   2. Locate the SSLService for the built-in JRun Web Server.Note: You may need to uncomment the SSLService section for manual installations on existing JRun 4 servers.
   3. Modify the trustStore attribute, specifying the location of your new trustStore file. For example, to use the cacerts file for the JRE embedded with JRun, change:
      <attribute name="trustStore">{jrun.rootdir}/lib/trustStore</attribute>
      
      to the following:
      <attribute name="trustStore">{jrun.rootdir}/jre/lib/security/cacerts</attribute>
3. Import the LDAP server's certificate into the trustStore:
   1. Open a command prompt to the embedded JRE:
      1. For manual installs: jrun_root\jre\bin
      2. For Simple installs: cps_install_path\jre\bin
   2. Type the following command supplying the path (relative or fully qualified) to your LDAP server's certificate file and the trustStore file location:

       keytool -import -alias [nickname for cert] -file [cert filename and path] -keystore [trustStore filename and path] -storepass [trustStore password] 

      Note: If the LDAP server's certificate was created by an unknown certificate authority (e.g. a self-signed certificate) then you will be prompted to verify the certificate's information and confirm the import.
      For example:

       keytool -import -alias ldapServerCert -file C:\Certs\ldapservercert.cer -keystore ..\..\lib\trustStore -storepass changeit 

      Note: The default password for the trustStore is changeit. You should change this to increase security on the file.
4. Restart CPS.

Additional Information

WAR installation of Contribute Publishing Services

If you installed CPS as a WAR file on a J2EE server other than JRun, please refer to that server's documentation and server administrator in order to obtain trustStore location and trustStore password.

Here is an outline of the steps:

1. Locate the certificate file for your LDAP server and copy it to your CPS machine
2. (optional) If the certificate is in PEM format, you need to convert it to DER format.
   1. Install open SSL (if it is not installed yet) and run this command:
      

       openssl x509 -in [original certificate filename and path].pem -out [target filename and path].der 

3. Import the certificate file into your trust store:
   

    keytool -import -alias [nickname for certificate] -file [certificate filename and path] -keystore [trustStore filename and path] -storepass [trustStore password] 

4. Restart CPS.

Products affected