Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000203005

NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)

Summary: This KB details the process that is required for configuring "AD over SSL" (LDAPS) from the NetWorker Web User Interface (NWUI). The option to configure external authority repositories from NWUI was made available in NetWorker 19.6.x and later. ...

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Instructions

In order to configure an SSL connection for authentication the root CA (or CA chain when used) must be imported into the cacerts file that is used by NetWorker's authc process.

Configuring AUTHC to use SSL

1. Open an administrative PowerShell prompt or root SSH session on the NetWorker server and cd to NetWorker's Java directory.
  • If you are using NetWorker Runtime Environment (NRE) for the AUTHC server's Java instance, the location is:
    • Linux: /opt/nre/java/latest/bin/
    • Windows: C:\Program Files\NRE\java\jrex.x.x_xxx\bin
  • If you are using Oracle Java the file path may differ depending on the location that is installed and the Java version used. 
2. Display a list of current trusted certificates in the trust store. 
nve:/opt/nre/java/latest/bin # keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
  • The default password for the storepass is changeit.
  • On Windows servers the keytool command would be run from the Java bin directory but would look something like: 
keytool -list -keystore ..\lib\security\cacerts -storepass changeit
 
3. Review the list for an alias that matches your LDAPS server (this may not exist). You can use operating system grep or findstr commands with the above command to narrow the search. If there is an outdated or existing CA certificate from your LDAPS server, delete it with the following command: 
keytool -delete -alias ALIAS_NAME -keystore ../lib/security/cacerts -storepass changeit
  • Replace ALIAS_NAME with the alias name of the LDAPS server collected from the output in 2.
4, a. Use the OpenSSL tool to obtain a copy of the CA certificate from the LDAPS server. 
openssl s_client -showcerts -connect LDAPS_SERVER:636
  • Replace LDAPS_SERVER with the hostname or IP address of your LDAPS server.
  • By default, Windows hosts do not include the openssl program. If it is not possible to install OpenSSL on the NetWorker server, the certificates can be exported directly from the LDAPS server; however, it is highly recommended to use the OpenSSL utility. The following options are available when the NetWorker server is Windows and if you cannot install OpenSSL.
    • Have your AD admin provide one or more certificates by exporting them as Base-64 encoded x.509 format.
    • If a Linux system exists in the environment, use it to collect the openssl output. This command does not need to be run on the NetWorker server, we just need it to collect the PEM certificate output.
4, b. The above command outputs the CA certificate or a chain of certificates in PEM format, e.g: 
-----BEGIN CERTIFICATE-----
MIIGQDCCBSigAwIBAgITbgAAAAiwkngyAQWDwwACAAAACDANBgkqhkiG9w0BAQsF
ADBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbWNs
...
7NZfi9DiEBhpFmbF8xP96qB/kTJC+29t/0VE8Fvlg87fRhs5BceIoX8nUnetNCdm
m4mGyefXz4TBTwD06opJf4NQIDo=
-----END CERTIFICATE-----
NOTE: If there is a chain of certificates the last certificate is the CA certificate. You must import each certificate in the chain in order (top down) ending with the CA certificate.
 
5. Copy the certificate starting from ---BEGIN CERTIFICATE--- and ending with ---END CERTIFICATE--- and paste it into a new file. If there is a chain of certificates, you must do this with each certificate.

6. Import the certificate or certificate file(s) created in the above step: 
keytool -import -alias ALIAS_NAME -keystore ../lib/security/cacerts -storepass changeit -file PATH_TO\CERT_FILE
  • Replace ALIAS_NAME with an alias for the imported certificate (for example: ldaps). When importing multiple certificates for a certificate chain, each certificate must have a different ALIAS name and be imported separately. The certificate chain must also be imported in order from step 4, b (top down).
  • Replace PATH_TO\CERT_FILE with the location of the cert file that you created in step 5.
You are prompted to import the certificate, type yes and press enter. 
nve:/opt/nre/java/latest/bin # keytool -import -alias ldaps -keystore ../lib/security/cacerts -storepass changeit -file ~/ca.cer
Owner: 
Issuer: CN=AMER-DC-CA, DC=dc, DC=lan
Serial number: 4900000004501b5e1c46b7c875000000000004
Valid from: Wed Feb 13 16:39:37 EST 2024 until: Sat Feb 13 16:49:37 EST 2026
Certificate fingerprints:
         SHA1: CD:C5:E0:7B:52:68:4D:85:2D:08:FC:73:49:2F:53:08:4B:CC:DE:03
         SHA256: 4B:B6:E9:B4:63:34:9B:55:52:A2:23:D1:57:5D:98:92:EB:B8:C3:31:CD:55:CD:53:B8:F0:D6:BB:64:A6:D6:61
...
...
...

Trust this certificate? [no]:  yes
Certificate was added to keystore
NOTE: Pipe (|) the operating system grep or findstr command to the above to narrow the result.  
nve:/opt/nre/java/latest/bin # keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep ldaps
ldaps, Feb 13, 2024, trustedCertEntry, 
7. Restart the NetWorker server services. 
 
Linux: systemctl restart networker
Windows: net stop nsrd ; net start nsrd
 
NOTE: If the NetWorker server services are not restarted, authc does not read the cacerts file, and it will not detect the imported certificates that are required for establishing SSL communication with the LDAP server.

Creating "AD over SSL" external authority resource from NWUI

1. From a web browser, access the NWUI server: https://nwui-server-name:9090/nwui
2. Log in using the NetWorker Administrator account.
3. From the menu, expand Authentication Server and click External Authorities.
4. From External Authorities, click Add+.
5. Populate the configuration fields:

Basic Configuration:
Field
Value
Name
A descriptive name, without spaces for the LDAP or AD configuration. The maximum number of characters is 256. Specify ASCII characters in the configuration name only.
Server Type
AD over SSL
Provider Server Name 
Specifies the hostname or IP address of the Active Directory Server.
Port
Port 636 is used for SSL, this field should populate automatically if "AD over SSL" is selected.
Tenant
Select the tenant if configured. If no tenant is configured or required, you can use the "default." 
Configuring a tenant requires the following login syntax "tenant_name\domain_name\user_name." If the default tenant is used (common), then the login syntax is "domain_name\user_name." 

Tenant—Top-level organizational container for the NetWorker Authentication Service. Each external authentication authority in the local database is assigned to a tenant. A Tenant can contain one or more Domains, but the domain names must be unique within the tenant. NetWorker Authentication Service creates one integrated tenant name Default, which contains the Default domain. Creating multiple tenants helps you to manage complex configurations. For example, service providers with restricted datazones (RDZ) can create multiple tenants to provide isolated data protection services to tenant users.
Domain
The full domain name including all DC values; e.g: example.com
User DN
Specifies the full distinguished name (DN) of a user account that has full read access to the AD directory.
User DN Password
Specifies the password of the user account that is used to access and read the AD direct.
 
Advanced Configuration:
Group Object Class
Required. The object class that identifies groups in the LDAP or AD hierarchy.
● For LDAP, use groupOfUniqueNames or
groupOfNames.
● For AD, use group.
Group Search Path (optional)
A DN that specifies the search path that the authentication service should use when searching for groups in the LDAP or AD hierarchy.
Group Name Attribute
The attribute that identifies the group name. For example, cn.
Group Member Attribute
The group membership of the user within a group.
● For LDAP:
○ When the Group Object Class is groupOfNames the attribute is commonly member.
○ When the Group Object Class is groupOfUniqueNames the attribute is commonly uniquemember.
● For AD, the value is commonly member.
User Object Class
The object class that identifies the users in the LDAP or AD hierarchy. For example, person.
User Search Path (optional)
The DN that specifies the search path that the authentication service should use when searching for users in the LDAP or AD hierarchy. Specify a search path that is relative to the base DN that you specified in the configserver-address option. For example, for AD, specify cn=users.
User ID Attribute
The user ID that is associated with the user object in the LDAP or AD hierarchy.
For LDAP, this attribute is commonly uid.
For AD, this attribute is commonly sAMAccountName.
NOTE: Consult with your AD/LDAP admin to confirm which AD/LDAP specific fields are needed for your environment.

6. When done click save.
7. A summary of the configured external authority resource should now appear:

Configuration Example

8. From the Server->User Groups menu Edit the User Groups that contain the rights that you want to delegate to AD/LDAP Groups or Users. For example to grant full Admin rights the AD group/user DN should be specified in the External Roles field of the Application Administrators and Security Administrators roles.

e.g: CN=NetWorker_Admins,DC=amer,DC=lan

image.png

This can also be done from command line:

nsraddadmin -e "AD_DN"
Example: 
nve:~ # nsraddadmin -e "CN=NetWorker_Admins,DC=amer,DC=lan"
134751:nsraddadmin: Added role 'CN=NetWorker_Admins,DC=amer,DC=lan' to the 'Security Administrators' user group.
134751:nsraddadmin: Added role 'CN=NetWorker_Admins,DC=amer,DC=lan' to the 'Application Administrators' user group.


9. Once the AD group and/or user DNs have been specified click Save. 
10. Log out of the NWUI interface and log back in using the AD account:

image.png

11. The user icon in the upper-right corner indicates which user account is signed in.

Additional Information

You can use the authc_mgmt command on your NetWorker server to confirm that the AD/LDAP groups/users are visible: 
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-users -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups-for-user -D query-tenant=tenant_name -D query-domain=domain_name -D user-name=ldap_username
e.g:

authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-users -D query-tenant=default -D query-domain=lab.emc.com
The query returns 21 records.
User Name      Full Dn Name
Administrator  cn=Administrator,cn=Users,dc=lab,dc=emc,dc=com
Guest          cn=Guest,cn=Users,dc=lab,dc=emc,dc=com
...
...

authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups -D query-tenant=default -D query-domain=lab.emc.com
The query returns 55 records.
Group Name                              Full Dn Name
Administrators                          cn=Administrators,cn=Builtin,dc=lab,dc=emc,dc=com
NetWorker_Admins                        cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com
...
...

authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab.emc.com -D user-name=bkupadmin
The query returns 5 records.
Group Name              Full Dn Name
Domain Admins           cn=Domain Admins,cn=Users,dc=lab,dc=emc,dc=com
NetWorker_Admins        cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com
...
...
 
NOTE: On some systems, the authc commands may fail with an "incorrect password" error even when the correct password is given. This is due to the password being specified as visible text with the "-p" option. If you encounter this, remove "-p password" from the commands. You will be prompted to enter the password hidden after running the command.


Additional Resources:

Article Properties

Affected Product

NetWorker

Product

NetWorker Family, NetWorker Series

Last Published Date

20 Jun 2024

Version

6

Article Type

How To

Back to Top