How to set up SSL Between the SSO Server and Microsoft Active Directory Datastore?

Document ID : KB000054243
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The document describes how to setup an encrypted communication channel between the CA Single Sign On - Policy Server and the Domain Controller hosting the Active Directory (AD) to be integrated as SSO User Data Store.

This is accomplished by featuring the LDAPs (LDAP-Secure) interface provided by the DC (Domain Controller) and utilizing SSL as communication protocol. Issuing the needed x509-certificates will be accomplished by the embedded CA Directory's DXCertGen utility.

It is assumed that the Microsoft Certificate Services are installed and operational on any of the Domain Controllers.

OpenSSL libraries attached for convenience (openSSL.zip).

Solution:

AD is integrated into the SSO Server by means of the embedded CA Directory's DXlink, also referred to as LDAP-Router.

By default, payload data transferred via LDAP is not encrypted. This causes sensitive data like user and application passwords being exposed in an unacceptable manner.

Mitigating this risk, DXlink can be configured accordingly to encrypt all data sent and received by utilizing the Active Directory's LDAPs interface and communicating over SSL.

To set up SSL between the SSO Server and the Directory and AD datastore, you need to complete the following steps:

  1. Download MS-CA Root Certificate

    • On the SSO Server machine download OpenSSL, (openSSL.zip) for your convenience, attached to this document, or from its community site and unzip the archive to disk.

      With Internet Explorer navigate to the Certificate Server web page running on the Domain Controller
      http://hostname_DomainController/certsrv

    • Once connected to the Certificate Server web page, please click the "Download a CA certificate, certificate chain, or CRL" option.

    • Click the "Base 64" radio button, and click the "Download CA certificate" link.

    • Save the CA certificate in the ..\certs folder, e.g. ..\certs\MS-Root_cert.cer

  2. Convert the MS-CA Root Certificate into PEM format

    • Open a cmd-prompt, cd to the openSSL folder and run the following command to convert this pfx file into a pem file:

      openssl x509 -in ..\certs\MS-Root_cert.cer -outform PEM -out ..\certs\CAcert.pem

  3. Establish the Trust between the SSO Server and the Domain Controller

    • On the SSO Server map a network drive to the Domain Controller and copy the MS-CA Root Certificate to the embedded CA Directory's Trusted Root Certificates store copy

      ..\certs\CAcert.pem "%DXHOME%\config\ssld\CAcert.pem"

    • Import the MS-CA Root Certificate into the CA Directory's Trusted Root Certificates store open a cmd-prompt and run the following command

      DXCERTGEN -n "%DXHOME%\config\ssld\CAcert.pem" importca

  4. Create the CA Directory Server DSA Certificates

    • Open a cmd prompt and enter the following command:

      DXCERTGEN certs

  5. Install the CA Directory ssld service

    • To create the CA Directory's SSL online keystore run the following command from a cmd-prompt

      ssld install caDIRssld -certfiles "%DXHOME%\config\ssld\personalities" -ca "%DXHOME%\config\ssld\trusted.pem"

    • Start the ssld service

      net start ssld_caDIRssld
      (you can also accomplish this task by starting the "eTrust Directory SSL daemon - caDIRssld" service from the services control panel)

  6. Configure DXlink to utilize the LDAPs interface of AD

    • Open the %dxhome%\config\knowledge\ad_name_router.dxc file and make sure it contains the following:

      address = tcp "ADServer1" port 636
      auth-levels = anonymous, clear-password, ssl-auth
      link-flags = dsp-ldap, ssl-encryption, ms-ad

    • Edit the %dxhome%\config\knowledge\PS_<servername>.dxc file

      auth-levels = anonymous, clear-password, ssl-auth

  7. Configure the SSO Server to utilize SSL while communicating with the AD_userDIR

    • From the Policy Manager edit the ps-ldap and AD user data store and ensure the "SSL Connection" check box is enabled.

      Figure 1

      (Please note that the SSO Server and Policy Manager do not exchange any x509-keys, hence do not need any keystore by themself, but symmetrically encrypt communication with a random number agreed upon session initiation with the destination)

  8. Testing and Verification

    • Shutdown the SSO Server service and the PS and PSTD services and restart accordingly

      net stop ssod
      dxserver stop all
      dxserver start all
      net start ssod

    • Start DXconsole and connect to the Router DSA

      telnet localhost 13379
      set trace=x500;

    • Open the Policy Manager and start browsing the AD_userDIR

    • In the PS_<servername>.trace you should basically find the following sequence:
      ... > <- #4 (SSL) LDAP BIND-REQ ... > (Remote) -> #5 (SSL) [Router_AD] DXLINK BIND-REQ ... > (Remote) <- #5 (SSL) [Router_AD] DXLINK BIND-CONFIRM ... > (Remote) <- #5 (SSL) [Router_AD] DXLINK COMPARE-CONFIRM ... > -> #4 (SSL) LDAP BIND-CONFIRM ... > <- #4 (SSL) LDAP SEARCH-REQ ... > (Remote) -> #5 (SSL) [Router_AD] DXLINK SEARCH-REQ ...
      Alternatively you may also use a network sniffer like Wireshark to verify all communication is handled via SSL.

  9. Test an SSL encrypted LDAP connection to Microsoft Active Directory using JXplorer (this is an optional step)

    • On the SSO Server
      make a backup of the current DXserver's offline trusted root CA store
      copy "%DXHOME%\config\ssld\trusted.pem" "%DXHOME%\config\ssld\trusted.pem.backup"

    • List the DXserver's trusted root CAs
      DXCERTGEN listca

    • Remove all trusted root CAs except the DXCertGenPKI DXCERTGEN -r 1 removeca
      (repeat until only DXCertGenPKI is listed)

    • Copy the resulting "%DXHOME%\config\ssld\trusted.pem" CA Directory-CA Root Certificate and the ..\certs\MS-Root_cert.pfx
      MS-CA Root Certificate to a temprorary location on the JXplorer host

    • Restore the DXserver's offline trusted root CA store
      copy "%DXHOME%\config\ssld\trusted.pem.backup" "%DXHOME%\config\ssld\trusted.pem"

    • On the JXplorer host
      enable the Certificates MMC Snap In Control:
      Start Menu -> Run -> mmc -> Console -> Add/Remove Snap-in -> Add -> Certificates -> Add -> Computer Account -> Local Computer -> Finish -> Close -> OK

    • Import the copied trusted.pem file and the MS-Root_cert.pfx by means of above Certificates-MMC into the local computer's "Trusted Root Certification Authorities" and "Personal" Certificate Store.

    • in JXplorer open "Advanced Keystore Options" from the main menu bar's "Security" option

    • Set CA/Server Keystore Type: Windows-ROOT

    • Set Client Keystore Type: Windows-MY

    • The other options are irrelevant, but must not be blank. OK to exit

    • Setup and establish a new connection pointing to the DC on port 636 with Security Level "SSL + User + Password"

      Figure 2

    • Setup and establish a new connection pointing to the SSO Server on port 13389 with Security Level "SSL + User + Password" and Base DN o=PS

    • Setup and establish a new connection pointing to the SSO Server on port 13389 with Security Level "SSL + User + Password" and Base DN pointing to a DN in the AD (alike in the first test)

      If there are any issues, ensure time is in sync on all boxes involved.
      For SSO r12.0 ensure that you have at least CA Single Sign-On r12.0 CR4 in place.
File Attachments:
TEC465307.zip