Topic
  • 3 replies
  • Latest Post - ‏2014-04-08T16:44:51Z by atlauren
atlauren
atlauren
16 Posts

Pinned topic TRC auth with LDAP/SSL to AD

‏2014-04-08T04:56:31Z |

Hello,

I'm trying to set up our TRC server, using AD authentication via LDAP/SSL.  I've verified that the LDAP account can bind without SSL, and am now trying to establish a proper SSL setup.  Our vendor CA is InCommon; they chain off the AddTrust External CA.   The domain controllers have InCommon certificates on their LDAP service; I have verified with openssl s_client that the certs are installed.

With ldap.security_protocol=ssl, however, the connection fails due to certificate chaining.  However, I'm thoroughly lost on how to configure the LDAP client with the right intermediates/roots.

  • Does the LDAP client take advantage of the java/jre/lib/security/cacerts store?
    • AddTrust is in this file.
      • Should I add the intermediate there?
  • What file should ldap.ssl_keyStore refer to?
    • The cacerts store?
    • A new keystore that I haven't created yet?
      • Is that where the intermediate should go?

All of this is _before_ I even tackle a proper cert for the incoming HTTPS connections.  Should these be the same keystore as above?

Thanks for any insight.

-Andrew

  • Pati_Gall
    Pati_Gall
    9 Posts

    Re: TRC auth with LDAP/SSL to AD

    ‏2014-04-08T14:17:18Z  

    Hi,
    Can you try the following instructions?

    • Export the root CA public key certificate from the Microsoft Activity Directory Certificate Services keystore as a Base-64 encoded X.509 certificate (*.cer).
    • Copy the *.cer to a location in the RC server
    • In the RC server, navigate to C:\Program Files (x86)\IBM\Tivoli\TRC\server\java\jre\bin and double click on ikeyman.bat
    • Click on "Open" and select PKCS12 as DB-Type
    • In file name, click browse and navigate to the following location: C:\Program Files (x86)\IBM\Tivoli\TRC\server\wlp\usr\servers\trcserver\resources\security\key.jks (this path may be slightly different depending on installation options, platform, etc)
    • The default password is WebAS or TrCWebAS (depending on the version, refer to the relevant documentation for your version in Infocenter)
    • Select Signer Certificates from the drop down menu and click on "Add", Navigate to and select your *.cer file (Note: It will prompt you to open an "*.arm" certificate, ignore this and open your *cer). Provide a label as requested (it can be anything, for instance "TRCLDAP").

    Now we need to change some settings in the ldap.properties file.Locate the ldap.properties file and:

    • Ensure you add the "s" to ldap and the port number to the connection url and the port number is specified to 636:  

        ldap.connectionURL=ldaps://yourldapserver:636

    • Save the changes and restart the TRC service.

    Let me know how you get on. Remember to restart the RC server service after importing the certificate and updating the ldap properties.

    Regards,
    Pati
     

  • Pati_Gall
    Pati_Gall
    9 Posts

    Re: TRC auth with LDAP/SSL to AD

    ‏2014-04-08T14:17:34Z  

    Hi,
    Can you try the following instructions?

    • Export the root CA public key certificate from the Microsoft Activity Directory Certificate Services keystore as a Base-64 encoded X.509 certificate (*.cer).
    • Copy the *.cer to a location in the RC server
    • In the RC server, navigate to C:\Program Files (x86)\IBM\Tivoli\TRC\server\java\jre\bin and double click on ikeyman.bat
    • Click on "Open" and select PKCS12 as DB-Type
    • In file name, click browse and navigate to the following location: C:\Program Files (x86)\IBM\Tivoli\TRC\server\wlp\usr\servers\trcserver\resources\security\key.jks (this path may be slightly different depending on installation options, platform, etc)
    • The default password is WebAS or TrCWebAS (depending on the version, refer to the relevant documentation for your version in Infocenter)
    • Select Signer Certificates from the drop down menu and click on "Add", Navigate to and select your *.cer file (Note: It will prompt you to open an "*.arm" certificate, ignore this and open your *cer). Provide a label as requested (it can be anything, for instance "TRCLDAP").

    Now we need to change some settings in the ldap.properties file.Locate the ldap.properties file and:

    • Ensure you add the "s" to ldap and the port number to the connection url and the port number is specified to 636:  

        ldap.connectionURL=ldaps://yourldapserver:636

    • Save the changes and restart the TRC service.

    Let me know how you get on. Remember to restart the RC server service after importing the certificate and updating the ldap properties.

    Regards,
    Pati
     

  • atlauren
    atlauren
    16 Posts

    Re: TRC auth with LDAP/SSL to AD

    ‏2014-04-08T16:44:51Z  
    • Pati_Gall
    • ‏2014-04-08T14:17:34Z

    Hi,
    Can you try the following instructions?

    • Export the root CA public key certificate from the Microsoft Activity Directory Certificate Services keystore as a Base-64 encoded X.509 certificate (*.cer).
    • Copy the *.cer to a location in the RC server
    • In the RC server, navigate to C:\Program Files (x86)\IBM\Tivoli\TRC\server\java\jre\bin and double click on ikeyman.bat
    • Click on "Open" and select PKCS12 as DB-Type
    • In file name, click browse and navigate to the following location: C:\Program Files (x86)\IBM\Tivoli\TRC\server\wlp\usr\servers\trcserver\resources\security\key.jks (this path may be slightly different depending on installation options, platform, etc)
    • The default password is WebAS or TrCWebAS (depending on the version, refer to the relevant documentation for your version in Infocenter)
    • Select Signer Certificates from the drop down menu and click on "Add", Navigate to and select your *.cer file (Note: It will prompt you to open an "*.arm" certificate, ignore this and open your *cer). Provide a label as requested (it can be anything, for instance "TRCLDAP").

    Now we need to change some settings in the ldap.properties file.Locate the ldap.properties file and:

    • Ensure you add the "s" to ldap and the port number to the connection url and the port number is specified to 636:  

        ldap.connectionURL=ldaps://yourldapserver:636

    • Save the changes and restart the TRC service.

    Let me know how you get on. Remember to restart the RC server service after importing the certificate and updating the ldap properties.

    Regards,
    Pati
     

    Hi,

    Thank you!  Using your instructions, I added the CA's provided AddTrustExternalCARoot.crt to the key.jks file.

    As additional detail, it is not sufficient to use Admin -> Reset Application.  A full restart of the server is required; as I'm on RHEL, it was service trcserver restart.

    I suggest that this information for LDAP SSL connections be added to the relevant installation and administration manuals.

    best,

    -Andrew