Steps: -------- Unpack this distro tarfile Install Kerberos5 Install kx509/kxutils Install java Install jxplorer Modify the keygen script Set your keystore password Running keygen and jxplorer This distribution tarfile should contain the following: README #This file JXv3.1b1deploy.tar.bz2 #The jxplorer distribution keygen.jar #The credential conversion script keygen.sh #Helper app used by keygen.sh ca-bundle.crt #The CITI CA cert Install Kerberos5/SASL ---------------------- Under Fedora (core 2): yum install krb5-workstation # For kerberos installations yum install cyrus-sasl yum install cyrus-sasl-gssapi # For kerberos installations yum install cyrus-sasl-plain yum install cyrus-sasl-devel Install kx509/kxutils ---------------------- XXX No package that I know of. XXX Grab source and compile Install Java ---------------------- Grab the Sun jre or sdk (1.4.2 or greater) Sun has nice self extracting binary distributions or rpms. Set your JAVA_HOME environment variable to the base of your java installation: eg: export JAVA_HOME=/usr/local/j2sdk1.4.2_04 also, add the java bin location to your PATH variable eg: export PATH=$PATH:$JAVA_HOME/bin/ It is recommended that this is done in your /etc/profile or personal profile Install JXplorer ----------------------- Unpack the tarfile included, or get it from sourceforge: http://sourceforge.net/project/showfiles.php?group_id=55394 Version 3.1Beta was used. Unpack the file into the directory that you unpacked the distribution tarfile. the tarfile will unpack into ./jxplorer Modify the keygen script ------------------------- The distribution tarfile contains a script called keygen.sh. Edit the first few lines so that the paths to the binaries are correct. Make sure that KERBEROS_ROOT is correctly set, as well as the paths to kxlist, kx509 and openssl. Nothing else should need modifying. Set your keystore passwords ------------------------ Run jxplorer by executing ./jxplorer.sh in the jxplorer directory. Security->Client Certificates Click the Set Password button: The default password is: passphrase When done, click OK to close the Manager dialog. (Note, after changing passwords, or importing certs, the manager dialog sometime gets buried under the browser window. Just move the browser window to the side, or send it to the back. Similarly, you need to set the password on the CA Certs keystore. The default password for this keystore is: changeit You also need to import the CA cert. The ca-bundle.crt cert is included in the distribution tarfile for your convenience. Be sure to take precautions against tampering (sum against known copy, etc). To do this, open the CA Certificate manager. Click Add Certificate. Locate the ca-bundle.crt file (note that you will have to change the suffix filter to All Files) Running the keygen script ------------------------- cd to the directory containing the keygen script. Execute: ./keygen.sh Two flags are supported. Execute ./keygen.sh -? for useage. keygen will convert your kerberos creds into kx509 creds, reformat those into pkcs8 format, and then import them into the java keystore. You should do this every time you startup jxplorer. File->Connect to open the connection dialog. Enter the hostname and base DN. Also, change the Security level to: "SSL+SASL+Keystore Password" and enter the keystore password in the textbox. You should be able to establish a secure connection, protected by SSL TLS and using the SASL EXTERNAL authentication mechanism. You may need to modify your slapd.conf file with the appropriate sasl-regexp to get your kx509->DN mapping correct.