Enable client-side LDAPS
To enable client-side LDAPS, you import your certificate authority (CA) certificate into AD Connector, and then enable LDAPS on your directory. Upon enabling, all LDAP traffic between Amazon applications and your self-managed Active Directory will flow with Secure Sockets Layer (SSL) channel encryption.
You can use two different methods to enable client-side LDAPS for your directory. You can use either the Amazon Web Services Management Console method or the Amazon CLI method.
Topics
Step 1: Register certificate in Amazon Directory Service
Use either of the following methods to register a certificate in Amazon Directory Service.
Method 1: To register your certificate in Amazon Directory Service (Amazon Web Services Management Console)
-
In the Amazon Directory Service console
navigation pane, select Directories. -
Choose the directory ID link for your directory.
-
On the Directory details page, choose the Networking & security tab.
-
In the Client-side LDAPS section, select the Actions menu, and then select Register certificate.
-
In the Register a CA certificate dialog box, select Browse, and then select the certificate and choose Open.
-
Choose Register certificate.
Method 2: To register your certificate in Amazon Directory Service (Amazon CLI)
-
Run the following command. For the certificate data, point to the location of your CA certificate file. A certificate ID will be provided in the response.
aws ds register-certificate --directory-idyour_directory_id--certificate-data file://your_file_path
Step 2: Check registration status
To see the status of a certificate registration or a list of registered certificates, use either of the following methods.
Method 1: To check certificate registration status in Amazon Directory Service (Amazon Web Services Management Console)
-
Go to the Client-side LDAPS section on the Directory details page.
-
Review the current certificate registration state that is displayed under the Registration status column. When the registration status value changes to Registered, your certificate has been successfully registered.
Method 2: To check certificate registration status in Amazon Directory Service (Amazon CLI)
-
Run the following command. If the status value returns
Registered, your certificate has been successfully registered.aws ds list-certificates --directory-idyour_directory_id
Step 3: Enable client-side LDAPS
Use either of the following methods to enable client-side LDAPS in Amazon Directory Service.
Note
You must have successfully registered at least one certificate before you can enable client-side LDAPS.
Method 1: To enable client-side LDAPS in Amazon Directory Service (Amazon Web Services Management Console)
-
Go to the Client-side LDAPS section on the Directory details page.
-
Choose Enable. If this option is not available, verify that a valid certificate has been successfully registered, and then try again.
-
In the Enable client-side LDAPS dialog box, choose Enable.
Method 2: To enable client-side LDAPS in Amazon Directory Service (Amazon CLI)
-
Run the following command.
aws ds enable-ldaps --directory-idyour_directory_id--type Client
Step 4: Check LDAPS status
Use either of the following methods to check the LDAPS status in Amazon Directory Service.
Method 1: To check LDAPS status in Amazon Directory Service (Amazon Web Services Management Console)
-
Go to the Client-side LDAPS section on the Directory details page.
-
If the status value is displayed as Enabled, LDAPS has been successfully configured.
Method 2: To check LDAPS status in Amazon Directory Service (Amazon CLI)
-
Run the following command. If the status value returns
Enabled, LDAPS has been successfully configured.aws ds describe-ldaps-settings –directory-idyour_directory_id