Connecting to LDAP or JIRA or Other Services via SSL

本ページでは、SSL でラップした各種プロトコルを使用して、 SSL 経由で Confluence を外部サーバーに接続する方法について説明します。

次にいくつか示すのは、SSL/HTTPS 経由で外部サーバーに接続する必要が考えられる例です。

You need to connect to an LDAP server, such as Active Directory, if the LDAP server is running over SSL.
For specific instructions for Active Directory, see Configuring an SSL Connection to Active Directory.
You want to set up JIRA as a trusted application in Confluence, when JIRA is running over SSL.
Confluence マクロで https://... URL を参照する場合。

If you want to run Confluence itself over SSL, see Running Confluence Over SSL or HTTPS.

The information on this page does not apply to Confluence OnDemand.

SSL 証明書のインポート

The following commands apply to JDK 1.5. For commands/syntax relevant to JDK 1.6, please refer to this document from Oracle.

Add the root certificate to your default Java keystore with the following command. This is the certificate that was used to authorise the LDAP server's certificate. It will be either the one that was used for signing it, or will come from further up in the trust chain, possibly the root certificate. This is often a self-signed certificate, when both ends of the SSL connection are within the same network. Again, the exact alias is not important.
```
keytool -import -alias serverCert -file RootCert.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts (Windows)
keytool -import -alias serverCert -file RootCert.crt -keystore $JAVA_HOME/jre/lib/security/cacerts (Linux/Unix/Mac)
```
LDAP サーバーまたは JIRA サーバーの公開証明書を JVM キーストアにインポートします。これは LDAP サーバーが SSL 暗号化を設定するために使用する証明書です。任意に選んだエイリアスを "JIRAorLDAPServer.crt" の代わりに使用できます。
```
keytool -import -alias ldapCert -file JIRAorLDAPServer.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts (Windows)
keytool -import -alias ldapCert -file JIRAorLDAPServer.crt -keystore $JAVA_HOME/jre/lib/security/cacerts (Linux/Unix/Mac)
```
Edit the file in your Confluence installation directory, {confluence-installation}\confluence\WEB-INF\classes\atlassian-user.xml. Change the value of securityProtocolfrom "plain" to "ssl":
```
<securityProtocol>ssl</securityProtocol>
```
Switch the LDAP connection to the SSL port, if it is different from the default LDAP port. If you are using the most common LDAPS port, set:
```
<port>636</port>
```
The keytool will ask you for a password. The default password is 'changeit' without the quotes.

次のコマンドを入力して、証明書が正常に追加されたことを確認します。

keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts (Windows)
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts (Unix/Linux)
keytool -list -keystore /Library/Java/Home/lib/security/cacerts (Mac)

Ensure that you have updated JAVA_OPTS to specify the path to the keystore, as specified in Connecting to SSL services, before restarting Tomcat/Confluence.
There is no need to specify an alias for Confluence to use. On connecting to the LDAP server, it will search through the keystore to find a certificate to match the key being presented by the server.

トラブルシューティング

次のナレッジベースの記事を参照してください。

ページツリー

SSL 証明書のインポート

トラブルシューティング

関連トピック