This KB primarily focuses on what is needed to configure LDAPS, for a broader explanation of what is needed to integrate AD/LDAP with NetWorker see:
NetWorker: How To Set up AD/LDAP Authentication
NOTE: External Authority can be configured from the NetWorker Management Console and NetWorker Web User Interface (NWUI); however, Configuring Active Directory over LDAPS is generally recommended to use the authc_config script or NWUI (19.7 and later). The NMC configuration option only offers "LDAP over SSL"; if this option is used it will set "Active Directory: false" . This option expects that the authentication server is LDAP instead of Microsoft Active Directory. This will result in failed logins. The process outlined in this KB details how to configure LDAPS using the authc_configure script. NWUI (19.7 and later) offers an "AD over SSL" option.
NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)
It is recommended to get the AD/LDAP configuration working over LDAP first, then convert it to LDAPS as to rule out any potential configuration issues.
To use LDAPS you must import the CA certificate (or certificate chain) from the LDAPS server into the JAVA trust keystore. This can be done with the following procedure:
1) Open an administrative/root command prompt.
2,a) Display a list of current trusted certificates in the trust store.
keytool -list -keystore JAVA_PATH/jre/lib/security/cacerts -storepass PASSWORD
- Typically the JAVA binary location is a part of the OS PATH environmental variable so "keytool" can be run from anywhere. If the OS fails to find the keytool binary. Run the keytool commands from the JAVA \bin directory on your NetWorker server.
- Replace JAVA_PATH with the path to your JAVA installation, the path name varies based on the JAVA version installed.
- On systems with NetWorker Runtime Environment (NRE) installed this is typically:
- Linux: /opt/nre/java/latest/
- Windows: C:\Program Files\NRE\java\jre-###
- Replace password with the JAVA storepass. The default value is changeit.
[root@rhel7 /]# keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/cacerts -storepass changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 156 entries
emcauthctomcat, 9-Jul-2018, trustedCertEntry,
Certificate fingerprint (SHA1): 01:9B:AF:A4:0D:DA:33:6D:AE:7A:76:8D:84:D5:EB:E2:63:13:0A:0A
...
...
2,b) Review the list for an alias that matches your LDAPS server (this may not exist). You can use OS grep/findstr commands with the above command to narrow the search. If there is an outdated/existing CA certificate from your LDAPS server, delete it with the following command:
keytool -delete -alias ALIAS_NAME -keystore JAVA_PATH/jre/lib/security/cacerts -storepass PASSWORD
- Replace ALIAS_NAME with the alias name of the LDAPS server collected from the output in 2,a.
3,a) Use the OpenSSL tool to obtain a copy of the CA certificate from the LDAPS server.
openssl s_client -showcerts -connect LDAPS_SERVER:636
- By default, Windows hosts do not include the openssl program. If it is not possible to install OpenSSL on the NetWorker server, the certificates can be exported directly from the LDAPS server; however, it is highly recommended to use the OpenSSL utility.
- Unless the path to the OpenSSL binaries directory is a part of the OS PATH environmental variable you will need to run the OpenSSL commands from their binary location.
- If you do not have OpenSSL and it cannot be installed have your AD admin provide the certificate(s) by exporting them as Base-64 encoded x.509 format.
- Replace LDAPS_SERVER with the hostname or IP address of your LDAPS server.
3,b) The above command will output the CA certificate or a chain of certificates in PEM format, e.g:
-----BEGIN CERTIFICATE-----
MIIGQDCCBSigAwIBAgITbgAAAAiwkngyAQWDwwACAAAACDANBgkqhkiG9w0BAQsF
ADBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbWNs
...
7NZfi9DiEBhpFmbF8xP96qB/kTJC+29t/0VE8Fvlg87fRhs5BceIoX8nUnetNCdm
m4mGyefXz4TBTwD06opJf4NQIDo=
-----END CERTIFICATE-----
NOTE: If there is a chain of certificates the last certificate is the CA certificate. You will need to import each certificate in the chain in order (top down) ending with the CA certificate.
3,c) Copy the certificate starting from
---BEGIN CERTIFICATE--- and ending with
---END CERTIFICATE--- and paste it into a new file. If there is a chain of certificates you will need to do this with each certificate.
4) Import the certificate(s) created in 3,c into the JAVA trust keystore:
keytool -import -alias ALIAS_NAME -keystore JAVA_PATH/jre/lib/security/cacerts -storepass PASSWORD -file PATH_TO\CERT_FILE
- Replace ALIAS_NAME with an alias for the imported certificate. Typically this is the LDAPS server name. If you need to import multiple certificates for a certificate chain, each certificate must have a different ALIAS name and be imported seperately. The certificate chain must also be imported in order from how it was presented in step 3,a (top down).
- Replace JAVA_PATH with the path to your JAVA installation, the path name varies based on the JAVA version installed.
- Replace password with the JAVA storepass. The default value is changeit.
- Replace PATH_TO\CERT_FILE with the location of the cert file you created in step 3,c.
- You will be prompted to import the certificate, type yes and hit enter.
[root@rhel7 /]# keytool -import -alias winsrvr2k16-ca -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/cacerts -storepass changeit -file /certificates/ca.cer
Owner: CN=WINSRVR2K16.emclab.local
Issuer: CN=emclab-WINSRVR2K16-CA, DC=emclab, DC=local
Serial number: 6e00000008b0927832010583c3000200000008
Valid from: Wed Sep 12 10:02:47 EDT 2018 until: Thu Sep 12 10:02:47 EDT 2019
Certificate fingerprints:
MD5: 08:FB:DE:58:7B:FC:62:C7:31:5D:37:28:2C:54:6D:68
SHA1: 06:72:D0:E9:19:31:8E:F6:2A:3A:47:60:52:91:0F:4F:2B:EB:10:9D
SHA256: AD:0B:2B:2F:FC:B8:9E:ED:48:16:38:04:A7:CA:6B:55:D9:92:88:CD:54:BB:84:C6:4D:5A:28:E2:35:04:B5:C7
...
...
...
Trust this certificate? [no]: yes
Certificate was added to keystore
5) Confirm that the certificate is shown in the keystore:
keytool -list -keystore JAVA_PATH/jre/lib/security/cacerts -storepass PASSWORD
NOTE: Pipe (|) the operating system grep or findstr command to the above to narrow the results.
[root@rhel7 /]# keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/cacerts -storepass changeit | grep -i -A1 "winsrvr2k16*"
winsrvr2k16-ca, 12-Sep-2018, trustedCertEntry,
Certificate fingerprint (SHA1): 06:72:D0:E9:19:31:8E:F6:2A:3A:47:60:52:91:0F:4F:2B:EB:10:9D
6) Restart the NetWorker server services.
Linux:
nsr_shutdown
service networker start
Windows: net stop nsrd
net start nsrd
NOTE: If the NetWorker server services are not restarted, authc will not read the cacerts file and it will not detect the imported certificates required for establishing SSL communication with the LDAP server.
7,a) Update your authc-create-ad-config (Active Directory) OR authc-create-ldap-config (LDAP) script to use LDAPS:
Location:
| Linux |
/opt/nsr/authc-server/scripts/ |
| Windows |
[INSTALL DRIVE]:\Program Files\EMC NetWorker\nsr\authc-server\scripts\ |
authc_config -u administrator -e update-config \
-D "config-tenant-id=1" \
-D "config-active-directory=y" \
-D "config-name=ad" \
-D "config-domain=emclab" \
-D "config-server-address=ldaps://winsrvr2k16.emclab.local:636/DC=emclab,DC=local" \
-D "config-user-dn=cn=Administrator,cn=Users,dc=emclab,dc=local" \
-D "config-user-dn-password=Pa$$w0rd01" \
-D "config-user-search-path=" \
-D "config-user-id-attr=sAMAccountName" \
-D "config-user-object-class=user" \
-D "config-group-search-path=" \
-D "config-group-name-attr=cn" \
-D "config-group-object-class=group" \
-D "config-group-member-attr=member" \
-D "config-user-search-filter=" \
-D "config-group-search-filter=" \
-D "config-search-subtree=y" \
-D "config-user-group-attr=memberOf" \
-D "config-object-class=objectClass
NOTE: If you are adding a new config "-e add-config" should be used, if you are updating an existing config "-e update-config" should be used. In the config-server-address address line specify protocol "ldaps" (must be lower case) and port "636".
7,b) Run the script, from command line. It should report that the configuration has been updated/added successfully.
8) Confirm that the configuration has been updated:
authc_config -u Administrator -e find-all-configs
authc_config -u Administrator -e find-config -D config-id=CONFIG_ID
- You will be prompted to enter the NetWorker Administrator password with each command. The command can be run with the "-p password" flag but this can fail on some OS due to clear text password being used.
- Replace CONFIG_ID with the config id collected with the first command:
[root@rhel7 /]# authc_config -u Administrator -e find-config -D config-id=1
Enter password:
Config Id : 1
Config Tenant Id : 1
Config Name : ad
Config Domain : emclab
Config Server Address : ldaps://winsrvr2k16.emclab.local:636/DC=emclab,DC=local
Config User DN : cn=Administrator,cn=Users,dc=emclab,dc=local
Config User Group Attribute : memberOf
Config User ID Attribute : sAMAccountName
Config User Object Class : user
Config User Search Filter :
Config User Search Path :
Config Group Member Attribute: member
Config Group Name Attribute : cn
Config Group Object Class : group
Config Group Search Filter :
Config Group Search Path :
Config Object Class : objectClass
Is Active Directory : true
Config Search Subtree : true
The server is now authenticating with AD/LDAP over LDAPS.
If any errors or issues are encountered when following this procedure please check with your CA admin to ensure that the correct certificates are being used/pulled.
Whether you are using Windows Active Directory or Linux LDAP (e.g: OpenLDAP) the LDAP protocol is used for authentication. LDAP (Lightweight Directory Application Protocol) and Secure LDAP (LDAPS) are the connection protocols used between application and the Network Directory or Domain Controller within the infrastructure.
LDAP transmits communications in Clear Text, and LDAPS communication is encrypted and secure.