Configuring mutual TLS authentication between IM and LDAP server
From foundational services version 4.9, you can enable mutual TLS authentication between Identity Management (IM) and LDAP server when you configure LDAP connection based on the backend LDAP registry configuration. You need to configure TLS/SSL
to enable mutual authentication.
To enable mutual TLS authentication for LDAP server, you need to add the ldap_tls_verify_client
parameter in the IdP V3 API
when you create LDAP connection. The values of the ldap_tls_verify_client
parameter
are try
and demand
.
You can configure mutual TLS authentication using IdP v3 API with one of the following methods:
- Configuring mutual TLS authentication with
try mTLS SSL
profile - Configuring mutual TLS authentication with
demand mTLS SSL
profile
Configuring mutual TLS authentication with try mTLS SSL
profile
Specify the ldap_tls_verify_client
parameter with try
to enable mutual TLS authentication with try mTLS SSL
profile when you create the LDAP connection. You can use try mTLS SSL
profile for LDAP
connection when the import of an IM client certificate is not required in the LDAP server. If you enable try mTLS SSL
profile, IM prevents the passing of the client certificate for the LDAP mutual TLS/SSL authentication.
The following curl command is an example to create LDAP connection with try mTLS SSL
profile:
$ export ACCESS_TOKEN= $BEARER-TOKEN
$ export CP_CONSOLE_URL=$CP_CONSOLE_URL_ROUTE
$ curl -k -X POST \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-H "content-type: application/json" \
"https://${CP_CONSOLE_URL}/idprovider/v3/auth/idsource" \
-d '{
"name": "openLDAP",
"description": "description 1",
"protocol": "ldap",
"type": "Custom",
"idp_config": {
"ldap_url": "ldap://9.30.253.13:389",
"ldap_basedn": "dc=ibm,dc=com",
"ldap_bindpassword": "<base64 encoded password>",
"ldap_binddn": "cn=admin,dc=ibm,dc=com",
"ldap_userfilter": "(&(uid=%v)(objectclass=person))",
"ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))",
"ldap_useridmap": "*:uid",
"ldap_groupidmap": "*:cn",
"ldap_groupmemberidmap": "groupOfUniqueNames:uniquemember",
"ldap_tls_verify_client":"try"
}
}'
Ensure that you specify the base64-encoded
password in the ldap_bindpassword
parameter.
Configuring mutual TLS authentication with demand mTLS SSL
profile
Specify the ldap_tls_verify_client
parameter with demand
to enable mutual TLS authentication with demand mTLS SSL
profile when you create the LDAP connection. If you set the ldap_tls_verify_client
parameter with demand
, the LDAP server requests the CA certificate from IM, and a valid certificate need to be provided for TLS authentication. If the certificate is invalid, the session stops immediately.
You can configure the demand mTLS SSL
with one of the following methods:
- Configuring
demand mTLS SSL
with default IM certificates - Configuring
demand mTLS SSL
with custom certificates
Configuring demand mTLS SSL
with default IM certificates
You must obtain a certificate authority (CA) certificate of IM and import it to the truststore of the LDAP server to enable mutual TLS authentication with demand mTLS SSL
profile.
Complete the following steps to enable mutual TLS authentication with demand mTLS SSL
profile:
-
Get the CA certificate of IM with the following command:
oc get secret identity-provider-secret -o jsonpath='{.data.ca\.crt}' | base64 –decode
-
Import the CA certificate of IM in the PEM format to the truststore of the LDAP server. Contact your LDAP team to upload the CA certificate to the truststore of your LDAP server.
-
Set the
ldap_tls_verify_client
parameter withdemand
when you create the LDAP connection.The following curl command is an example to create LDAP connection with
demand mTLS SSL
profile:$ export ACCESS_TOKEN= $BEARER-TOKEN $ export CP_CONSOLE_URL=$CP_CONSOLE_URL_ROUTE $ curl -k -X POST \ -H "Authorization: Bearer ${ACCESS_TOKEN}" \ -H "content-type: application/json" \ "https://${CP_CONSOLE_URL}/idprovider/v3/auth/idsource" \ -d '{ "name": "openLDAP", "description": "description 1", "protocol": "ldap", "type": "Custom", "idp_config": { "ldap_url": "ldap://9.30.253.13:389", "ldap_basedn": "dc=ibm,dc=com", "ldap_bindpassword": "<base64 encoded password>", "ldap_binddn": "cn=admin,dc=ibm,dc=com", "ldap_userfilter": "(&(uid=%v)(objectclass=person))", "ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))", "ldap_useridmap": "*:uid", "ldap_groupidmap": "*:cn", "ldap_groupmemberidmap": "groupOfUniqueNames:uniquemember", "ldap_tls_verify_client":"demand" } }'
Configuring demand mTLS SSL
with custom certificates
You can provide the CA bundle (CA key and certificate pair) of the LDAP server when you create LDAP connection to configure mutual TLS authentication with custom certificates. Ensure that you specify the CA key and certificate pair of the LDAP server
in the ldap_tls_client_key
and ldap_tls_client_cert
parameters.
The following curl command is an example to create LDAP connection with demand mTLS SSL
profile:
$ export ACCESS_TOKEN= $BEARER-TOKEN
$ export CP_CONSOLE_URL=$CP_CONSOLE_URL_ROUTE
$ curl -k -X POST \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-H "content-type: application/json" \
"https://${CP_CONSOLE_URL}/idprovider/v3/auth/idsource" \
-d '{
"name": "openLDAP",
"description": "description 1",
"protocol": "ldap",
"type": "Custom",
"idp_config": {
"ldap_url": "ldap://9.30.253.13:389",
"ldap_basedn": "dc=ibm,dc=com",
"ldap_bindpassword": "<base64 encoded password>",
"ldap_binddn": "cn=admin,dc=ibm,dc=com",
"ldap_userfilter": "(&(uid=%v)(objectclass=person))",
"ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))",
"ldap_useridmap": "*:uid",
"ldap_groupidmap": "*:cn",
"ldap_groupmemberidmap": "groupOfUniqueNames:uniquemember",
"ldap_tls_verify_client":"demand",
"ldap_tls_client_key": "<base64-encoded-value-of-ldap-server-ca-pem-
key>",
"ldap_tls_client_cert": "<base64-encoded-value- of-ldap-server-ca-pem-
cert>"
}
}
}'