How do you set up SSL server authentication with CA LDAP SERVER?

Document ID : KB000021867
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The CA LDAP Server LDAPTEST script is intended for use with non-SSL connections. There is no CA LDAP Server test script available to test SSL ports. The best approach is to test with an LDAP application or one of the many LDAP browsers available such as JXPlorer, Softerra LDAP Browser or Symlabs LDAP Browser. JXPlorer is an open source ldap browser that can be used with CA LDAP server. It is not distributed by CA Technologies.

This document covers the SSL setup for server authentication between the CA LDAP Server and JXplorer(the client).

Solution:

LDAP Server SSL Setup and Configuration with JXplorer

The first two sections describe the CA ACF2(external security) and the CA LDAP SERVER setup. The third section describes the JXplorer installation and configuration for an SSL connection to CA LDAP Server. In this example JXplorer is the client and CA LDAP Server as the server.

*********************************************************************
**                          Section 1                              **
**                  CA ACF2 Certificate/KEYRING Setup Steps        **
*********************************************************************
 
** Create the CERTAUTH local CA Certificate
 
ACF
GENCERT CERTAUTH.LPARA SUBJ(CN='MVSLPARA' -
OU='Auditing Department' O='CA' C=US) -
LABEL(MVSDE28 CA) 
 
** Create the LDAP Server server certificate
 
GENCERT LDAPR15.CERT SUBJ(CN='CALDAPSERVER' OU='CA' C=US) -
LABEL(LDAPServer) SIGNWITH(certauth Label(MVSLPARA CA))     
 
 
** Create a KEYRING for CA LDAP Server STC logonid
** Connect the CERTAUTH and PERSONAL certificate to the KEYRING
 
SET PROFILE(USER) DIV(KEYRING)     
INSERT LDAPR15.RING RINGNAME(LDAPR15Ring)
 
** Connect the LDAP Server certificate and the signing CERTAUTH certificate
      to the LDAP Server Keyring.
   
CONNECT CERTDATA(CERTAUTH.LPARA) KEYRING(LDAPR15.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(LDAPR15.CERT) KEYRING(LDAPR15.RING) USAGE(PERSONAL) -
DEFAULT
 
** Create the Resource Class FACILITY rules for access to the Keyring
 
ACF
SET RESOURCE(FAC)
COMPILE * STORE   
$KEY(IRR) TYPE(FAC)                           
DIGTCERT.LIST     UID(UID for LDAP Server logonid) SERVICE(READ) ALLOW
DIGTCERT.LISTRING UID(UID for LDAP Server logonid) SERVICE(READ) ALLOW
 
** Export the CERTAUTH certificate from z/OS to a dataset 
which can be FTP'd in BINary format to the PC running JXplorer as a .der file
 
ACF                                                                 
set profile(user) div(certdata)                                      
export CERTAUTH.LPARA dsn('secmf.certauth.LPARA') format(certder)
*********************************************************************
**                            Section 2                            **
** LDAP Server Configuration Changes for SSL Server Authentication **
*********************************************************************
 
Make the following two changes to the slapd.conf for SSL:
 
 1) Add ldaps://:2389 to the hosturls statement for SSL port
 2) Uncomment the TLSKeyringName statement and specify the ringname of the z/OS KEYRING
 
EDIT                       /ldapr15/slapd.conf             Columns 00001 00072
Command ===>                                                   Scroll ===> CSR 
****** ***************************** Top of Data *****************************
 ..  ..
 
############################################################### 
#       What port(s) is LDAP to listen on                       
############################################################### 
hosturls ldap://:389 ldaps://:2389                              
                                                                
 ..  ..
 
 ..  ..
 
###############################################################    
#       These values are used *if* you are using certs             
#       stored on a keyring                                        
###############################################################    
TLSKeyringName       LDAPR15Ring                                   
# TLSCertificateLabel  Name_Here   
                                
 F1=Help      F2=Split     F3=Exit      F5=Rfind     F6=Rchange   F7=Up  
 F8=Down      F9=Swap     F10=Left     F11=Right    F12=Cancel 
*********************************************************************
**                             Section 3                           **
**            Connecting to CA LDAP Server with JXplorer           **
*********************************************************************

The following example demonstrates how to setup the JXPlorer LDAP Browser for use with CA LDAP Server r15.0. This is an example that shows how to display CA ACF2 logonid attributes using JXPlorer.

  1. Download JXplorer: http://jxplorer.org/

  2. Follow the installation instructions.

Add the Signing CERTAUTH certificate to the JXplorer Keystore

From JXplorer click on the "Security" tab, then click on "Trusted Servers and CAs"

Figure 1

Next click on the "Add Certificate" button.

Figure 2

Next find and select the certificate(.der) that was FTP'd to your PC.

Figure 3

** Note that when adding the certificate you will be prompted
** for the password of the Keystore, the JXplorer default Keystore
** password is 'changeit".

After selecting the certificate to add the new certificate will be shown in the list of Trusted Server Certificates.

Figure 4

Connect to CA LDAP Server with SSL with JXPlorer and browse a LOGONID.

Click on CONNECT, Figure 5
Enter the LDAP Server host name, CALDAPA.CA.com.
Enter the LDAP Server port, 2389 in this example.
Select Level: SSL + User + Password.
In User DN enter cn=userid, in this example USER002.
In Password, enter valid password for the USER002 userid specified.
Then click on OK button to connect.

Figure 6

After connecting the following will be displayed Click on CALDAPA.CA.COM.

Figure 7

From the list of CA ACF2 records, Click on 'lids' in the tree to display a list of CA ACF2 logonids.

Figure 8

Click on a logonid to display the attributes.

Figure 9

Display of logonid AAAUSERS:

Figure 10