Option 1, which should work, near as I can tell from several hours googling, is to build a "Trusted Keystore" — put a copy of the LDAP servers cert into a different keystore:
keytool -import -file my_ldap_cert.cer -alias my_ldap_cert -keystore trusted.keystore
Now add that to your Tomcat (version 5.0.27 or better) container. For example,
<Connector port="443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/usr/share/ssl/certs/tomcat.p12" keystorePass="xxxxxx"
keystoreType="PKCS12"
truststoreFile="/usr/share/ssl/certs/trusted.keystore" truststorePass="xxxx"
truststoreType="JKS"
/>
Note that in this example, my Tomcat SSL cert is saved in PKCS12 (I generated my key and CSR with openssl), while my truststoreFile (created with keytool) is in JKS format.
Looks good, on paper, and I found a number of web references that suggest this should work — but it didn’t
Option 2, which did work (but I found a reference that said it didn’t, try option 1) was to put a copy of the LDAP servers cert into the default JAVA keystore:
keytool -import -file my_ldap_cert.cer -alias my_ldap_cert -keystore $JAVA_HOME/jre/lib/security/cacerts
This did work, thus ending 5 or 6 hours of head banging.
Here’s one of my references
