Skip past navigation linksSecure Global Desktop Administration Guide > Security > Securing connections to Active Directory and LDAP directory servers

Securing connections to Active Directory and LDAP directory servers

You can use Secure Global Desktop security services to secure the connections to an LDAP directory server, including Microsoft Active Directory. LDAP connections are used with the following authentication mechanisms:

To secure these connections:

  1. Enable Secure Global Desktop security services.
  2. In Array Manager, configure secure connections to LDAP or Active Directory.
  3. Import the root certificates for your directory servers.
  4. For Microsoft Active Directory, create and install client certificates for each Secure Global Desktop server in the array.
  5. For the Active Directory login authority, enable LDAP signing requirements for the domain.
  6. Restart each Secure Global Desktop server in the array, using tarantella restart.

The configuration required for steps 2 to 5 is described below.

Configuring secure connections to LDAP and Active Directory in Array Manager

The configuration needed depends on the authentication mechanisms that have been enabled in Array Manager

Active Directory login authority

  1. In Array Manager, select Secure Global Desktop Login properties
  2. In the URL field, type the name of an Active Directory domain, for example ad://east.indigo-insurance.com.
    Only enter one URL. The URL must start with ad://.
  3. Check the Use Certicates box.
  4. Click Apply.

LDAP login authority and web server/third party authentication

  1. In Array Manager, select Secure Global Desktop Login properties
  2. In the URL field, type the URL of one or more LDAP directory servers, for example ldaps://melbourne.indigo-insurance.com.
  3. Click Apply.

Importing root certificates

To be able to use secure connections, Secure Global Desktop must be able to validate the certificate presented by an LDAP directory server or Active Directory. To do this you must import the root certificate (the Certificate Authority's certificate) into the keystore (the cacerts file) for the Java™ 2 Runtime Environment (JRE) used by the Secure Global Desktop server.

Run the following command:

Skip past command syntax or program code/opt/tarantella/bin/jre/bin/keytool -import \
  -keystore /opt/tarantella/bin/jre/lib/security/cacerts \ 
  -storepass changeit
  -file root_certificate_path \
  -alias alias

Notes:

Creating client certificates for use with Microsoft Active Directory

Microsoft Active Directory will only accept secure connections from servers that have a valid client certificate that has been signed using the Certificate Services on a Windows 2000/2003 Server. You must create and install a client certificate for each member of the array.

You create and install server client certificates with the keytool application, see the Java 2 SDK Tools and Utilities documentation for details.

Server client certificates are stored in the Secure Global Desktop certificate store /opt/tarantella/var/info/certs/sslkeystore.

You must provide a password when adding or removing certificates from the certifcate store. The password for the sslkeystore is unique to each Secure Global Desktop server and can be found in the /opt/tarantella/var/info/key file. Use this password for both the -storepass and -keypass options.

To create and install client certificates:

  1. Generate the key pair for the client certificate.
  2. Generate a Certificate Signing Request for the client certificate.
  3. Create the client certificate.
  4. Install the client certificate.

Generating the key pair for the client certificate

Run the following command to generate the key pair for the client certificate:

Skip past command syntax or program code/opt/tarantella/bin/jre/bin/keytool -genkey \
  -keyalg rsa \ 
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass password \
  -alias alias \
  -keypass  password

Generating the Certificate Signing Request for the client certificate

Run the following command to generate the Certificate Signing Request (CSR) for the client certificate:

Skip past command syntax or program code/opt/tarantella/bin/jre/bin/keytool -certreq \
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass server_password \
  -alias alias \
  -keypass  server_password
  -file path_to_CSR

The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.

Creating the client certificate

  1. Using Internet Explorer, go to http://Windows_server/certsrv.
  2. Log in.
  3. On the Microsoft Certificate Services page, click Request a certificate.
  4. On the Request a Certificate page, click advanced certificate request.
  5. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  6. On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR into the Saved Request text box or browse to the CSR file.
  7. Select an appropriate template from the Certificate Templates list.
  8. Click Submit.
  9. On the Certificate Issued page, ensure DER is selected and click Download certificate chain.
  10. Save the certificate file.

Installing the client certificate

Run the following command to install the client certificate for a Secure Global Desktop server:

Skip past command syntax or program code/opt/tarantella/bin/jre/bin/keytool -import \
  -file certificate_path \
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass server_password \
  -alias alias \
  -keypass  server_password

Enabling LDAP signing for the domain

For the Active Directory login authority, you must enable LDAP signing on your domain controllers. For example:

  1. Log in to the domain controller as a user with administrative privileges.
  2. In Group Policy Object Editor, select Domain Security Policy\Local Policies\Security options.
  3. Edit the Domain controller: LDAP server signing requirements policy, select Require signing.
  4. Edit the Network security: LDAP client signing requirements policy, select Require signing.
Related topics