How to configure CA Business Intelligence's (CABI) LDAP Authentication to use LDAP over SSL layer

Document ID : KB000048383
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This document provides information and instructions for setting up Lightweight Directory Access Protocol (LDAP) authentication in CABI 3.x using Secure Socket Layer (SSL).

This guide follows the typical chronological order of setting up an SSL LDAP configuration. However, if some of the steps are already done, they can be skipped.

This document assumes that LDAP over non-SSL works perfectly fine (meaning, all the bind/base/group-mapping/search parameters etc., work fine when LDAP over non-SSL).

With LDAP over non-SSL working, the only other change is to implement SSL over LDAP following the steps in this document.

Solution:

Obtain certutil and setup environment:

Certutil is a utility provided by Mozilla (previously this was obtained as part of the Netscape web browser) Mozilla has provided a FTP site to download the Certutil which uses binaries and libraries from NSS & NSPR.

  1. Navigate to the below URL:

    ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_RTM/

  2. The above link shows platform specific NSS binaries (version 3.11). Click on "WINNT5.0_OPT.OBJ" folder

  3. Download the file "nss-3.11.zip" and extract the zip file to a directory (i.e. C:\Temp)

  4. You should see the below structure (i.e. C:\Temp\nss-3.11)

    Figure 1

  5. Navigate to the below URL:

    ftp://ftp.mozilla.org/pub/nspr/releases/v4.4.1/

  6. The above link shows platform specific NSPR binaries (version 4.4.1). Click on "WINNT5.0_OPT.OBJ" folder

  7. Download the file "nspr-4.4.1.zip" and extract the zip file to a directory (i.e. C:\Temp)

  8. You should see the below structure (i.e. C:\Temp\nspr-4.4.1)

    Figure 2

  9. Open a command prompt and navigate to the C:\Temp\nss-3.11\bin folder

  10. On this command prompt, set the PATH environment variable as below:

    SET JAVA_HOME=E:\Progra~2\CA\SC\Common~1\javasdk\jre6
    SET PATH==%JAVA_HOME%\bin;c:\temp\nss-3.11\lib;c:\temp\nspr-4.4.1\lib;%PATH%

  11. Running the certutil.exe command should display the various options supported by the certutil executable.

Create the cert database

Cert8.db and Key3.db files

The cert8.db and key7.db files are created and managed using Certutil.

From the command line, you create a new cert8/key3 set using the following command:

certutil -N -d .

The command will prompt you for a password (it is not that important, so you can type something simple like "password"). Remember to use the same password for all of your keystores.

This command creates a cert8.db, key3.db, and secmod.db file. You will only need the first two. Once the keystore is created, you can add your CA certificate to it:

Figure 3

certutil.exe -A -n cert-name -t trustargs [-d certdir] [-i File]

certutil -A -n "MyCA" -t "CT" -d . -i cacert.cer

The "MyCA" parameter does not matter and does not need to be customized. The C and T attributes are explained in the output below.

C:\>certutil -A -n "MyCA" -t "CT" -d . -i cacert.cer 
C:\>certutil -L -d . 
Certificate Name Trust Attributes 
MyCA CT,, 
p Valid peer 
P Trusted peer (implies p) 
c Valid CA 
T Trusted CA to issue client certs (implies c) 
C Trusted CA to certs(only server certs for ssl)(implies c) 
u User cert 
w Send warning >

Once the CA certificate is added as a trusted CA, this keystore is finished.

Cacerts keystore file

Note: Ensure that cert8.db, key7.db and cacerts files are in the same directory after the below steps are followed. If they are not in the same directory, LDAP bind is usually not successful.

Creating the cacerts keystore using Keytool, which is required by the CABI Infoview application, is described below.

The creation of the keystore (called "cacerts") and importing of the CA certificate is performed with one command:

keytool -import -v -alias MyCA -file certnew.cer -trustcacerts -keystore cacerts

Figure 4

You can verify that the import was successful using the following command:

keytool -list -v -keystore cacerts

Figure 5

Configuring LDAP in the CMC

The client certificate is required only for mutual authentication. However, you would address this when you retrieve the CA certificate.

Connecting to LDAP

  1. Type the host name and SSL port (usually 636) of your LDAP server and click on Add. Click Next.

    Figure 6

  2. Select the appropriate LDAP server type or specify custom attribute mappings.

    Figure 7

  3. Type the base DN for your LDAP server (i.e. 'dn=itg, dc=local'). You need to know the exact syntax of the LDAP Distinguished Name within the AD Server. You can use the command dsquery (i.e. dsquery user) on the AD server to obtain this information.

    Figure 8

  4. Type the Distinguished Name and password for the AD Admin account.

    Figure 9

  5. Select Server Authentication from the Type of SSL authentication dropdown list.

    Figure 10

  6. Select the appropriate option for server-side SSL strength.

    Figure 11

  7. Clear the use default value checkboxes for Path to the certificate and key database files and provide the path to the certificate and key database file.

    Figure 12

  8. Type the path to the cert8.db, key3.db, and cacerts files in the first field.

  9. Select whether or not to use Siteminder SSO. If selected, configure the Siteminder settings. This configuration is outside the scope of this document.

  10. You can specify New aliases will be added and new users will be created on the LDAP users and aliases configuration page.

  11. Click Finish to apply the plugin configuration:

    Figure 13

Mapping users and groups

  1. In the LDAP tab of the authenticaton page, add the mappings in the Add LDAP group (by cn or dn) field (i.e. CN=CABIUsers,CN=Users,DC=itg,DC=local)

    Figure 14

    Figure 15

  2. Click Update at the bottom of the page. Enterprise will map in the LDAP objects that you have specified.

    You can login to CABI Infoview and CMC to verify the LDAP authentication.