The document describes how to setup an encrypted communication channel between the CA Single Sign On - Policy Server and the Domain Controller hosting the Active Directory (AD) to be integrated as SSO User Data Store.
This is accomplished by featuring the LDAPs (LDAP-Secure) interface provided by the DC (Domain Controller) and utilizing SSL as communication protocol. Issuing the needed x509-certificates will be accomplished by the embedded CA Directory's DXCertGen utility.
It is assumed that the Microsoft Certificate Services are installed and operational on any of the Domain Controllers.
OpenSSL libraries attached for convenience (openSSL.zip).
AD is integrated into the SSO Server by means of the embedded CA Directory's DXlink, also referred to as LDAP-Router.
By default, payload data transferred via LDAP is not encrypted. This causes sensitive data like user and application passwords being exposed in an unacceptable manner.
Mitigating this risk, DXlink can be configured accordingly to encrypt all data sent and received by utilizing the Active Directory's LDAPs interface and communicating over SSL.
To set up SSL between the SSO Server and the Directory and AD datastore, you need to complete the following steps:
- Download MS-CA Root Certificate
- On the SSO Server machine download OpenSSL, (openSSL.zip) for your convenience, attached to this document, or from its community site and unzip the archive to disk.
With Internet Explorer navigate to the Certificate Server web page running on the Domain Controller
- Once connected to the Certificate Server web page, please click the "Download a CA certificate, certificate chain, or CRL" option.
- Click the "Base 64" radio button, and click the "Download CA certificate" link.
- Save the CA certificate in the ..\certs folder, e.g. ..\certs\MS-Root_cert.cer
- Convert the MS-CA Root Certificate into PEM format
Establish the Trust between the SSO Server and the Domain Controller
- Open a cmd-prompt, cd to the openSSL folder and run the following command to convert this pfx file into a pem file:
openssl x509 -in ..\certs\MS-Root_cert.cer -outform PEM -out ..\certs\CAcert.pem
Create the CA Directory Server DSA Certificates
- On the SSO Server map a network drive to the Domain Controller and copy the MS-CA Root Certificate to the embedded CA Directory's Trusted Root Certificates store copy
- Import the MS-CA Root Certificate into the CA Directory's Trusted Root Certificates store open a cmd-prompt and run the following command
DXCERTGEN -n "%DXHOME%\config\ssld\CAcert.pem" importca
Install the CA Directory ssld service
- Open a cmd prompt and enter the following command:
Configure DXlink to utilize the LDAPs interface of AD
- To create the CA Directory's SSL online keystore run the following command from a cmd-prompt
ssld install caDIRssld -certfiles "%DXHOME%\config\ssld\personalities" -ca "%DXHOME%\config\ssld\trusted.pem"
- Start the ssld service
net start ssld_caDIRssld
(you can also accomplish this task by starting the "eTrust Directory SSL daemon - caDIRssld" service from the services control panel)
Configure the SSO Server to utilize SSL while communicating with the AD_userDIR
- Open the %dxhome%\config\knowledge\ad_name_router.dxc file and make sure it contains the following:
address = tcp "ADServer1" port 636
auth-levels = anonymous, clear-password, ssl-auth
link-flags = dsp-ldap, ssl-encryption, ms-ad
- Edit the %dxhome%\config\knowledge\PS_<servername>.dxc file
auth-levels = anonymous, clear-password, ssl-auth
Testing and Verification
- From the Policy Manager edit the ps-ldap and AD user data store and ensure the "SSL Connection" check box is enabled.
(Please note that the SSO Server and Policy Manager do not exchange any x509-keys, hence do not need any keystore by themself, but symmetrically encrypt communication with a random number agreed upon session initiation with the destination)
Test an SSL encrypted LDAP connection to Microsoft Active Directory using JXplorer (this is an optional step)
- On the SSO Server
make a backup of the current DXserver's offline trusted root CA store
copy "%DXHOME%\config\ssld\trusted.pem" "%DXHOME%\config\ssld\trusted.pem.backup"
- List the DXserver's trusted root CAs
- Remove all trusted root CAs except the DXCertGenPKI DXCERTGEN -r 1 removeca
(repeat until only DXCertGenPKI is listed)
- Copy the resulting "%DXHOME%\config\ssld\trusted.pem" CA Directory-CA Root Certificate and the ..\certs\MS-Root_cert.pfx
MS-CA Root Certificate to a temprorary location on the JXplorer host
- Restore the DXserver's offline trusted root CA store
copy "%DXHOME%\config\ssld\trusted.pem.backup" "%DXHOME%\config\ssld\trusted.pem"
- On the JXplorer host
enable the Certificates MMC Snap In Control:
Start Menu -> Run -> mmc -> Console -> Add/Remove Snap-in -> Add -> Certificates -> Add -> Computer Account -> Local Computer -> Finish -> Close -> OK
- Import the copied trusted.pem file and the MS-Root_cert.pfx by means of above Certificates-MMC into the local computer's "Trusted Root Certification Authorities" and "Personal" Certificate Store.
- in JXplorer open "Advanced Keystore Options" from the main menu bar's "Security" option
- Set CA/Server Keystore Type: Windows-ROOT
- Set Client Keystore Type: Windows-MY
- The other options are irrelevant, but must not be blank. OK to exit
- Setup and establish a new connection pointing to the DC on port 636 with Security Level "SSL + User + Password"
- Setup and establish a new connection pointing to the SSO Server on port 13389 with Security Level "SSL + User + Password" and Base DN o=PS
- Setup and establish a new connection pointing to the SSO Server on port 13389 with Security Level "SSL + User + Password" and Base DN pointing to a DN in the AD (alike in the first test)
If there are any issues, ensure time is in sync on all boxes involved.
For SSO r12.0 ensure that you have at least CA Single Sign-On r12.0 CR4 in place.