SSL support in LDAP system

JReport Server's LDAP system supports SSL when connecting to an LDAP server for obtaining security information.

Solving the wrong connection port type problem

JReport implements a method in the security system to solve the wrong connection port type problem.

The wrong connection port type problem in SSL protocol

If you use an SSL socket to connect to a server on a port that is not using SSL, or if you use a plain socket to connect to a server's SSL socket, your program will hang. This is a characteristic of the SSL protocol.

Method to avoid the wrong connection port type problem

Use a main thread to create a child thread for connecting to the LDAP server. The main thread can wait on the child thread for a period of time-- the socket timeout time (This time can be set by users). If the child thread creates an LDAP connection successfully, it will notify the main thread, and the program will continue to run. However, if the child thread hangs due to using the wrong port type, the main thread will only need to wait until the socket timeout time has been reached and can continue to run.

A Parameter setting in the method

There is an important parameter in this method: the socket timeout time. Since the connection time varies with the user's network environment, it is better to set it in LDAPProperties.xml: modify the element env-socketTime's value before the server is started. Its default value is 10, which means that the socket timeout time is 10 seconds. You can modify this value according to your network environment.

About SSL certificate store in JReport Server

Since JNDI uses the default SSL provider, the certificates will be checked by JSSE's default TrustManager: X509TrustManager. If the TrustManager does not accept them, JReport Server will store the SSL certificates into another key store file. This file is placed in <install_root>\properties \LDAPKeyStore.keystore. The password to access the file is jinfonet. You can also use -D parameters to specify another file and password. For instance, if you want to add the certificates into: C:\certs\certs.keystore, and use the password test, you should add the following parameters to JReport Server's startup file:

"-Djavax.net.ssl.trustStore= C:\certs\certs.keystore"
"-Djavax.net.ssl.trustStorePassword=test"

Note: The LDAP service provider uses JSSE for its SSL support. JSSE is available as part of Java 2 SDK, v1.4. As for earlier versions of the Java platform, you can turn to http://java.sun.com/products/jsse for information. To use JSSE on a platform earlier than Java 2 SDK, v1.4, first install JSSE, and then configure a JSSE provider either by updating the JAVA_HOME/lib/security/java.security file with the provider or by adding the provider programmatically. Here JAVA_HOME refers to the directory where the Java Runtime (JRE) software has been installed. Detailed steps can be found in the JSSE Reference Guide.