Configuring LDAP Plug-ins for SSL

Version 3
    Share This:

    This week's theme:  Cool Tech Tips

    Configuring LDAP Plug-ins for SSL

    Overview

    You might want to configure AR System® server access to your LDAP user registry over SSL to ensure the confidentiality of the data exchanged between AR System server and your LDAP user registry. For example, this might be the case where user passwords are sent over the network between an LDAP user registry and the AR System Server. When this type of operation occurs the AR System server authenticates any user name and password pair through an LDAP BIND operation. Configuring LDAP over SSL can, therefore, be important to protect sensitive data. Also, it might be required to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network, if the attributes of a user include sensitive information or if privacy is a concern.  In order to ensure that all this information remains private, it is necessary to configure the AR System AREA LDAP plug-in to use LDAP over SSL to the LDAP user registry.  This article describes how to configure AR System Plug-ins to work with Active Directory with SSL.

    Before Configuring

    First, non-SSL LDAP must be working before setting up LDAP over SSL. This verifies that the directory is responding to LDAP requests before setting it up for SSL. Also check the IIS on the Active Directory Server to see if it is configured for SSL as shown below.

    • Active Directory and Internet Information Services (IIS) should be installed and configured.

    Note: Click images for full screen view.

    Figure 1 – Import Certificate(s) to Enable SSL Connection

    Importing Certificates to a Keystore

    AR System Server LDAP plugins were compiled with Netscape 4.79 libraries. To build certificate files compatible with the LDAP plugins, a Netscape 4.79 browser should be used.

    1. Install Certificate Services before configuring the Active Directory for SSL. (See Appendix at bottom of article)
      Note:  To install Certificate Authority (CA), first make sure your log in has the "Enterprise Domain Administrator" credential, then go to add/remove program to add "Certificate Services"
    2. Export the root CA certificate.
    1. Open a Netscape 4.79 Web browser and connect to https://dcldap1.eng.remedy.com/certsrv/. Answer the prompts in the dialog to permit the certificate permanently, as shown in Figure 2.

    Figure 2 – New Site Certificate

    1. Select task Retrieve the CA certificate.
    2. Choose the certificate you created (Current) and the format (either DER encoded or Base 64 encoded). Then click on Download CA certificate.
    3. Save this certificate in a file. For example, call the certificate certnew.cer.
    4. Now, you can install this certificate by double-clicking on this file
    1. Install the certificate by following the prompts. An alternate way to install the certificate is by choosing the "Install certificate" link as shown below. This second method is useful, if you need to use the certutil utility in the future to add/remove certificates.

    Figure 3 – Install Certificate

    Figure 4 - New Certificate Authority

    After completing the steps above you can check to see if the certificate is in the Signers lists by opening the Security Info dialog from the Netscape's Tools menu.

    Figure 5 - Certificate Signers' Certificates

    1. Import the certificate to the keystore.
      Import the file certnew.cer into Netscape Communicator 4.79 as a trusted authority. This updates the cert7.db file and stores information on the trusted authority.
    1. Now use Netscape Communicator to connect to the secure URL for the LDAP server. In this example use https://dclap1.eng.remedy.com:636.  Note that this server name dclap1.eng.remedy.com matches the Common Name used when creating the certificate. Netscape will update the cert7.db file when trying to connect to this URL.  Please note the modification time for the cert7.db file.
    1. Copy the cert7.db and key3.db files to a directory accessible by the AR System server. For example, copy the files to C:\Program Files\AR System\Conf. This directory is used when updating the AR System server configuration .

    Configure AREA LDAP Plug-in to Access Active Directory over SSL

    The AREA LDAP plug-in can be configured to use SSL

    1. Check the "Use Secure Socket Layer" box (set ssl to true).
    2. Set the LDAP Port Number to 636.
    3. Specify the directory in which the cert7.db and key3.db files are located.
    4. Save changes.
    5. Stop and restart your AR System service

    Figure 6 - New AREA LDAO Configuration

    Summary

    The above article describes how to set up AR System LDAP plug-in's to use SSL and to set it up via Netscape 4.79.

    ~ Dipti
    Staff Product Developer, Remedy Development
    Joined BMC Remedy in 1999
    "The computer is no better than its program." - Elting Elmore Morison

    Appendix

    Active Directory should be installed and configured before you install plug-in.

    Active Directory is included with the Windows 2000 or 2003 Server operating system. Below is an overview of the installation.

    1. Install Windows 2000 or 2003 Server, which includes Active Directory. Refer to Windows and Active Directory documentation for installation instructions: http://www.microsoft.com/windows2000/technologies/directory/ad/default.asp.
    2. Install required Service Packs
    3. Perform this step if you are using Active Directory 2000. High Encryption is included with Active Directory 2003. Install Windows 2000 High Encryption Pack. The Windows 2000 High Encryption Pack allows you to enhance your system with one of the highest available encryption levels (128-bit). It is needed for enable SSL for Active Directory. It can be downloaded from Microsoft's Web Site: http://www.microsoft.com/windows2000/downloads/recommended/encryption/
    1. Install Internet Information Services. If you have not installed Internet Information Services (IIS), you need to do that. IIS is needed for exporting server certificates. IIS has to be installed before the installation of Certificate Service.
    1. Open Control Panel and select Add/Remove Programs.
    2. Choose Add/Remove Windows Components.
    3. Choose the Internet Information Services (IIS) component and then click Next.
    4. Follow the instruction of the Windows Components Wizard. The Windows Server CD is needed.
    1. If you plan on using Active Directory over SSL, install Certificate Services.
    1. Open Control Panel and select Add/Remove Programs.
    2. Choose Add/Remove Windows Components.
    3. Select Certificate Services, then click Next.
    4. Select Enterprise root CA or Stand-alone root CA, then click Next. You can also choose other options depends on you needs.
    5. Fill in CA identifying information and click Next.
    6. Follow the instruction of the Windows Components Wizard. The Windows Server CD is needed.