keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
C:\Program Files\NRE\java\jrex.x.x_xxx\bin>keytool -list -keystore C:\Program Files\NRE\java\jrex.x.x_xxx\lib\security\cacerts -storepass changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 96 entries
emcauthctomcat, Feb 6, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
...
...
...
keytool -delete -alias ALIAS_NAME -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
-----BEGIN CERTIFICATE-----
MIIGQDCCBSigAwIBAgITbgAAAAiwkngyAQWDwwACAAAACDANBgkqhkiG9w0BAQsF
ADBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbWNs
...
7NZfi9DiEBhpFmbF8xP96qB/kTJC+29t/0VE8Fvlg87fRhs5BceIoX8nUnetNCdm
m4mGyefXz4TBTwD06opJf4NQIDo=
-----END CERTIFICATE-----
keytool -import -alias ALIAS_NAME -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit -file PATH_TO\CERT_FILE
C:\Program Files\NRE\java\jrex.x.x_xxx\bin>keytool -import -alias winsrvr2k16.emclab.local -keystore "C:\Program Files\NRE\java\jrex.x.x_xxx\lib\security\cacerts" -storepass changeit -file C:\root-ca.cer
Owner: CN=emclab-WINSRVR2K16-CA, DC=emclab, DC=local
Issuer: CN=emclab-WINSRVR2K16-CA, DC=emclab, DC=local
Serial number: 183db0ae21d3108244254c8aad129ecd
...
...
...
Trust this certificate? [no]: yes
Certificate was added to keystore
keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
C:\Program Files\NRE\java\jrex.x.x_xxx\bin>keytool -list -keystore "C:\Program Files\Java\jre1.8.0_201\lib\security\cacerts" -storepass changeit | findstr winsrvr2k16
winsrvr2k16.emclab.local, Feb 20, 2019, trustedCertEntry,
8, a ) There is a known issue where selecting LDAP over SSL sets the internal configuration parameter "is active directory" to false. This prevents successful AD logins even though the configuration succeeds. This can be avoided by using the method detailed in the Limitations section or by using the authc script method outlined in: https://www.dell.com/support/kbdoc/000020799
When using the AD script template the configuration should show:
root@nwserver:~/#: authc_config -u Administrator -e find-all-configs
Enter password:
The query returns 1 records.
Config Id Config Name
3 AD_over_SSL
root@nwserver:~/#: authc_config -u Administrator -e find-config -D config-id=3
Enter password:
Config Id : 3
Config Tenant Id : 1
Config Name : AD_over_SSL
Config Domain : emclab.local
Config Server Address : ldaps://winsrvr2k16.emclab.local:636/dc=emclab,dc=local
Config User DN : cn=Administrator,cn=users,dc=emclab,dc=local
Config User Group Attribute : memberOf
Config User ID Attribute : sAMAccountName
Config User Object Class : user
Config User Search Filter :
Config User Search Path :
Config Group Member Attribute: member
Config Group Name Attribute : cn
Config Group Object Class : group
Config Group Search Filter :
Config Group Search Path :
Config Object Class : objectclass
Is Active Directory : true
Config Search Subtree : true
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-users -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups-for-user -D query-tenant=tenant_name -D query-domain=domain_name -D user-name=ad/ldap_username
e.g:
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-users -D query-tenant=default -D query-domain=emclab.local
The query returns 21 records.
User Name Full Dn Name
Administrator cn=Administrator,cn=Users,dc=emclab,dc=local
Guest cn=Guest,cn=Users,dc=emclab,dc=local
...
...
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups -D query-tenant=default -D query-domain=emclab.local
The query returns 55 records.
Group Name Full Dn Name
Administrators cn=Administrators,cn=Builtin,dc=emclab,dc=local
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=emclab,dc=local
...
...
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=emclab.local -D user-name=bkupadmin
The query returns 5 records.
Group Name Full Dn Name
Domain Admins cn=Domain Admins,cn=Users,dc=emclab,dc=local
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=emclab,dc=local
...
...
authc_config -u Administrator -p NetWorker_Admin_Pass -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="AD/LDAP_group_dn"
e.g:
authc_config -u Administrator -p Pa$$w0rd01 -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="cn=NetWorker_Admins,cn=Users,dc=emclab,dc=local"
Permission FULL_CONTROL is created successfully.
authc_config -u Administrator -p Pa$$w0rd01 -e find-all-permissions
The query returns 2 records.
Permission Id Permission Name Group DN Pattern Group DN
1 FULL_CONTROL ^cn=Administrators,cn=Groups.*$
2 FULL_CONTROL cn=NetWorker_Admins,cn=Users,dc=emclab..
Server Type | Select LDAP if the authentication server is a Linux/UNIX LDAP server, Active Directory if you are using a Microsoft Active Directory server. |
Authority Name | Provide a name for this external authentication authority. This name can be whatever you want it to be, it is only to differentiate between other authorities when multiple are configured. |
Provider Server Name | This field should contain the Fully Qualified Domain Name (FQDN) of your AD or LDAP server. |
Tenant | Tenants can be used in environments where more than one authentication method may be used and/or when multiple authorities must be configured. By default, the "default" tenant is selected. The use of tenants alters your log-in method. When the default tenant is used, you can log in to the NMC using "domain\user" if a tenant other than the default tenant is used you must specify "tenant\domain\user" when logging into the NMC. |
Domain | Specify your full domain name (excluding a hostname). Typically this is your base DN which is consisted of your Domain Component (DC) values of your domain. |
Port Number | For LDAP and AD integration use port 389. For LDAP over SSL use port 636. These ports are non-NetWorker default ports on the AD/LDAP server. |
User DN | Specify the Distinguished Name (DN) of a user account that has full read access to the LDAP or AD directory. Specify the relative DN of the user account, or the full DN if overriding the value set in the Domain field. |
User DN Password | Specify the password of the user account specified. |
Group Object Class | The object class that identifies groups in the LDAP or AD hierarchy.
|
Group Search Path | This field can be left blank in which case authc is capable of querying the full domain. Permissions still must be granted for NMC/ NetWorker server access before these users/groups can log in the NMC and manage the NetWorker server. Specify the relative path to the domain instead of full DN. |
Group Name Attribute | The attribute that identifies the group name. For example, cn. |
Group Member Attribute | The group membership of the user within a group.
|
User Object Class | The object class that identifies the users in the LDAP or AD hierarchy. For example, inetOrgPerson or user |
User Search Path | Like Group Search Path this field can be left blank in which case authc is capable of querying the full domain. Specify the relative path to the domain instead of full DN. |
User ID Attribute | The user ID that is associated with the user object in the LDAP or AD hierarchy.
|