Secure Global Desktop Administration Guide > Security > Securing connections to LDAP directory servers

Securing connections to LDAP directory servers

The LDAP login authority and the LDAP identity mapping search methods for web server/third party authentication require connections to an LDAP directory server. You can use the Sun Secure Global Desktop Security Pack to secure these connections with SSL/TLS. To do this, you must:

  1. Install the Security Pack on each array member and enable security services.
  2. Configure the URLs of the LDAP directory servers in Array Manager.
  3. Import the root certificate for the LDAP directory server.
  4. For Microsoft Active Directory, create and install client certificates for each Secure Global Desktop server in the array.
  5. Restart each Secure Global Desktop server in the array, using tarantella restart.

Note You do not need this configuration for the Active Directory login authority because this login authority uses the kerberos protocol.

The configuration required for steps 2 to 4 is described below. The configuration uses the Java™ keytool application, see the Java 2 SDK Tools and Utilities documentation (http://java.sun.com/j2se/docs) for more details.

Configuring the URLs of the LDAP directory servers in Array Manager

In Array Manager, Secure Global Desktop Login properties, make sure that each LDAP directory server that requires a secure connection has a URL that begins ldaps://

The standard port used for secure connections to an LDAP directory server is 636/tcp. If your LDAP directory server uses a different port, you must specify the port number as part of the URL, for example ldaps://melbourne.indigo-insurance.com:5678.

Importing root certificates

To use be able to use secure connections, Secure Global Desktop must be able to validate the certificate presented by an LDAP directory server. To do this you must import the root certificate (the Certificate Authority's certificate) into the keystore (the cacerts file) for the Java Runtime Environment (JRE) used by the Secure Global Desktop server. Run the following command:

/opt/tarantella/bin/jre/bin/keytool -import \
  -keystore /opt/tarantella/bin/jre/lib/security/cacerts \ 
  -file root_certificate_path \
  -alias alias

We recommend you use the -alias option to uniquely identify the certificate. The standard password for the cacerts file is changeit.

You must import the root certificate for every LDAP directory server you are using with Secure Global Desktop. You must import the certificates into the cacerts file on every member of the array.

Creating client certificates for use with Microsoft Active Directory

Microsoft Active Directory will only accept secure connections from servers that have a valid client certificate that has been signed using the Certificate Services on a Windows 2000/2003 Server. You must do this in addition to importing the root certificate, as described above. You must create and install a client certificate for each member of the array. To do this, you have to:

  1. Generate the key pair for the client certificate.
  2. Generate a Certificate Signing Request for the client certificate.
  3. Create the client certificate.
  4. Install the client certificate.

Generating the key pair for the client certificate

Run the following command to generate the key pair for the client certificate:

/opt/tarantella/bin/jre/bin/keytool -genkey \
  -keyalg rsa \ 
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass 123456 \
  -alias alias \
  -keypass  123456

Generating the Certificate Signing Request for the client certificate

Run the following command to generate the Certificate Signing Request (CSR) for the client certificate:

/opt/tarantella/bin/jre/bin/keytool -certreq \
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass 123456 \
  -alias alias \
  -keypass  123456
  -file path_to_CSR

The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.

Creating the client certificate

  1. Using Internet Explorer, go to http://Windows_server/certsrv.
  2. Log in.
  3. On the Microsoft Certificate Services page, click Request a certificate.
  4. On the Request a Certificate page, click advanced certificate request.
  5. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  6. On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR into the Saved Request text box or browse to the CSR file.
  7. Select an appropriate template from the Certificate Templates list.
  8. Click Submit.
  9. On the Certificate Issued page, ensure DER is selected and click Download certificate chain.
  10. Save the certificate file.

Installing the client certificate

Run the following command to install the client certificate for a Secure Global Desktop server:

/opt/tarantella/bin/jre/bin/keytool -import \
  -file certificate_path
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass 123456 \
  -alias alias \
  -keypass  123456
Related topics

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.