Tomcat
LDAPS
Really, seriously, Do This First!
For whatever reason, you might want to consult an LDAP directory for something, auth, directy data, whatever. If you're using ldaps, you need to be sure that tomcat trusts the SSL cert of your LDAPS server. After much toil, this is the key:
Add the following to your tomcat5.conf file.
CATALINA_OPTS='-Djavax.net.debug=all'
This tells java to enable debugging on everything 'net', or at least that's my interpretation. This everything really seems to be limited to SSL stuff, so have at. Allegedly, you can replace 'all' with 'ssl,handshake' or some other values if you like, but I couldn't find an authoritative list of valid values, so I stuck with 'all'.
Anyway, this does something very important. It outputs the 'trustStore', which is a store of trusted certs. This is really important because you need to know where to add your ldap server's SSL cert. Importantly, this will also help you figure out the format of your trust store. In my case, I discovered that the trustStore file looked like a bunch of OpenSSL PEM encoded text certs. So, I needed to append my ldaps server's SSL cert in PEM format, rather than screwing around with keytool (which was a waste of about a whole day... grumble.. grumble...).