This is an updated version of TEC465307 describing how to setup an encrypted communication channel between the CA Single Sign On - Policy Server and the Domain Controller hosting the Active Directory (AD) to be integrated as SSO User Data Store.
This is accomplished by featuring the LDAPs (LDAP-Secure) interface provided by the DC (Domain Controller) and utilizing SSL as communication protocol. Issuing the needed x509-certificates will be accomplished by the embedded CA Directory's DXCertGen utility.
It is assumed that the Microsoft Certificate Services are installed and operational on any of the Domain Controllers.
OpenSSL libraries attached for convenience (openSSL.zip).
This document is valid only for CA SSO versions with embedded CA DIR r12 SP2 (r12.0.4076) and newer.
To find out the exact version you have in place please run this command from a cmd on your SSO Server:
For versions prior CA DIR r12 SP2 please use TEC465307.
AD is integrated into the SSO Server by means of the embedded CA Directory's DXlink, also referred to as LDAP-Router.
By default, payload data transferred via LDAP is not encrypted. This causes sensitive data like user and application passwords being exposed in an unacceptable manner.
Mitigating this risk, DXlink can be configured accordingly to encrypt all data sent and received by utilizing the Active Directory's LDAPs interface and communicating over SSL.
To set up SSL between the SSO Server and the Directory and AD datastore, you need to complete the following steps:
- Download MS-CA Root Certificate
- On the SSO Server machine download OpenSSL, (openSSL.zip) for your convenience, attached to this document, or from its community site and unzip the archive to disk.
With Internet Explorer navigate to the Certificate Server web page running on the Domain Controller
Once connected to the Certificate Server web page, please click the "Download a CA certificate, certificate chain, or CRL" option.
- Click the "Base 64" radio button, and click the "Download CA certificate" link.
- Save the CA certificate in the ..\certs folder, e.g. ..\certs\MS-Root_cert.cer
- Convert the MS-CA Root Certificate into PEM format
Establish the Trust between the SSO Server and the Domain Controller
- Open a cmd-prompt, cd to the openSSL folder and run the following command to convert this pfx file into a pem file:
openssl x509 -in ..\certs\MS-Root_cert.cer -outform PEM -out ..\certs\CAcert.pem
Create the CA Directory Server DSA Certificates
- On the SSO Server map a network drive to the Domain Controller and copy the MS-CA Root Certificate to the embedded CA Directory's Trusted Root Certificates store
copy ..\certs\CAcert.pem "%DXHOME%\config\ssld\CAcert.pem"
- Import the MS-CA Root Certificate into the CA Directory's Trusted Root Certificates store open a cmd-prompt and run the following command
DXCERTGEN -n "%DXHOME%\config\ssld\CAcert.pem" importca
Configure DXlink to utilize the LDAPs interface of AD
- Open a cmd prompt and enter the following command:
Configure the SSO Server to utilize SSL while communicating with the AD_userDIR
- Open the %dxhome%\config\knowledge\ad_name_router.dxc file and make sure it contains the following:
address = tcp "ADServer1" port 636 auth-levels = anonymous, clear-password, ssl-auth link-flags = dsp-ldap, ssl-encryption, ms-ad
- Edit the %dxhome%\config\knowledge\PS_<servername>.dxc file
auth-levels = anonymous, clear-password, ssl-auth
- Append to %dxhome%\config\servers\PS_<servername>.dxi file
# sslsource "../ssld/default.dxc";
Testing and Verification
- From the Policy Manager edit the ps-ldap and AD user data store and ensure the "SSL Connection" check box is enabled.
(Please note that the SSO Server and Policy Manager do not exchange any x509-keys, hence do not need any keystore by themself, but symmetrically encrypt communication with a random number agreed upon session initiation with the destination)
Test an SSL encrypted LDAP connection to Microsoft Active Directory using JXplorer (this is an optional step)
- Shutdown the SSO Server service and the PS and PSTD services and restart accordingly
net stop ssod dxserver stop all dxserver start all net start ssod
- Start DXconsole and connect to the Router DSA
telnet localhost 13379 set trace=x500;
- Open the Policy Manager and start browsing the AD_userDIR
- In the PS_<servername>.trace you should basically find the following sequence:
... > <- #4 (SSL) LDAP BIND-REQ ... > (Remote) -> #5 (SSL) [Router_AD] DXLINK BIND-REQ ... > (Remote) <- #5 (SSL) [Router_AD] DXLINK BIND-CONFIRM ... > (Remote) <- #5 (SSL) [Router_AD] DXLINK COMPARE-CONFIRM ... > -> #4 (SSL) LDAP BIND-CONFIRM ... > <- #4 (SSL) LDAP SEARCH-REQ ... > (Remote) -> #5 (SSL) [Router_AD] DXLINK SEARCH-REQ ...Alternatively you may also use a network sniffer like Wireshark to verify all communication is handled via SSL.
- On the SSO Server
make a backup of the current DXserver's offline trusted root CA store
copy "%DXHOME%\config\ssld\trusted.pem" "%DXHOME%\config\ssld\trusted.pem.backup"
- List the DXserver's trusted root CAs
- Remove all trusted root CAs except the DXCertGenPKI
DXCERTGEN -r 1 removeca
(repeat until only DXCertGenPKI is listed)
- Copy the resulting "%DXHOME%\config\ssld\trusted.pem" CA Directory-CA Root Certificate and the ..\certs\MS-Root_cert.pfx
MS-CA Root Certificate to a temprorary location on the JXplorer host
- Restore the DXserver's offline trusted root CA store
copy "%DXHOME%\config\ssld\trusted.pem.backup" "%DXHOME%\config\ssld\trusted.pem"
- On the JXplorer host
enable the Certificates MMC Snap In Control:
Start Menu -> Run -> mmc -> Console -> Add/Remove Snap-in -> Add -> Certificates -> Add -> Computer Account -> Local Computer -> Finish -> Close -> OK
- Import the copied trusted.pem file and the MS-Root_cert.pfx by means of above Certificates-MMC into the local computer's "Trusted Root Certification Authorities" and "Personal" Certificate Store.
- In JXplorer open "Advanced Keystore Options" from the main menu bar's "Security" option
- Set CA/Server Keystore Type: Windows-ROOT
- Set Client Keystore Type: Windows-MY
- The other options are irrelevant, but must not be blank. OK to exit
- Setup and establish a new connection pointing to the DC on port 636 with Security Level "SSL + User + Password"
- Setup and establish a new connection pointing to the SSO Server on port 13389 with Security Level "SSL + User + Password" and Base DN o=PS
- Setup and establish a new connection pointing to the SSO Server on port 13389 with Security Level "SSL + User + Password" and Base DN pointing to a DN in the AD (alike in the first test)
If there are any issues, ensure time is in sync on all boxes involved.
Sometimes it may be necessary to reinstall the PKI or even the complete Domain Controller box.