How to enable SSL to Teaming LDAP Synchronization and Authentication

  • 3176104
  • 25-Feb-2008
  • 27-Apr-2012

Environment

Products:
Novell Teaming 1.0
Novell Teaming 1.0 Support Pack 1
Novell Teaming 1.0 Support Pack 2
Novell Teaming 1.0 Support Pack 3
Novell Teaming 2.0
Configuration:
Novell Teaming is installed and working correctly.
Novell Teaming has been configured to synchronize and authenticate with eDirectory through LDAP.
Novell Teaming LDAP communication to eDirectory is currently clear text or unencrypted.

Situation

How to configure Teaming to use LDAP over SSL when synchronizing or authenticating against eDirectory.

Resolution

There are three major steps to adding SSL to the LDAP communication for Teaming synchronization and Authentication against eDirectory. The first step is to export the needed certificate from eDirectory. The second step is to import that certificate into the keystore on the Linux server that Teaming uses. The last step is to configure Teaming to communicate over the secure port for LDAP. This document makes the assumptions that the following is configured: Teaming is installed, logging in as the admin, the administration portlets have been added, and Teaming is configured to synchronize and authenticate using LDAP against an eDiretory Tree with clear text access. If not, these  will need to be done first. See the current Teaming documentation at ( https://www.novell.com/documentation/team_plus_conf/index.html).

Step 1: Exporting Certificates from eDirectory

There is one certificate that needs to be exported from eDirectory. That is the Self Signed Certificate for your Tree's Certificate Authority.

There are two tools for exporting certificates out of eDirectory. The older method is with ConsoleOne and the newer method is with iManager. ConsoleOne has the advantage of being familiar but has older snap-ins for certificate management. The new iManager has newer certificate management plug-ins but is less familiar.

Method 1: ConsoleOne

  1. Launch ConsoleOne and authenticate to your eDirectory Tree .

  2. Click on the Security container in your eDirectory Tree

  3. Right click on the object labeled “<your Tree name>CA” and select Properties

  4. Click on the Certificates tab | Self Signed Certificate

  5. If you have the option to validate the certificate, do so just to verify that it is good

  6. Click Export

  7. Select either  "File in binary DER format" or “File in Base64 format” (either should work)

  8. Change the filename to something that will identify the file later (example: SelfSignCert.der)

  9. Click Export

  10. Click Cancel to exit out of the Properties of the Certificate Authority object

Now close ConsoleOne if desired as we are now done exporting the certificate that we need to add SSL to the LDAP communication of Teaming. Transport/move the certificate file to a location the Teaming server. Now move onto Step Two.

Method 2: iManager

For iManager to work it must have the latest plug-in for the Novell Certificate Server and Access. If not then update the plug-ins.

  1. Launch and log into iManager for your Tree

  2. Select Directory Administration

  3. Select Modify object

  4. Click on the magnifying glass to browse to the “<Tree Name> CA” object in the Security container of the eDirectory Tree and click on it
  5. Click on OK

  6. Click on the Certificates tab

  7. Check the box for the Self Signed Certificate and click on Validate

  8. Check the box for the Self Signed Certificate and click on Export

  9. Uncheck “Export private key”

  10. Click on Next

  11. Click on “Save the exported certificate”.  Select either  "File in binary DER format" or “File in Base64 format” (either should work).

  12. Save the file somewhere it can be accessed later and with a filename that will be remembered to know what it is (example: SelfSignCert.der)

  13. Click on Close

  14. Click on OK

Now close iManager if desired to as we are now done exporting the certificate that is needed to add SSL to the LDAP communication of Teaming. Transport/move the certificate file from where it was saved to a location the Teaming server. Now ready to move onto Step Two.

Step Two: Importing the certificate into Teaming

This section will be on the Linux server where the Teaming server software is running. The certificate file that was just exported needs to be visible on this server. This can be done by drive mapping/mounting or by copying the files locally. Last, open a terminal prompt  and switch to the root user  (hint: su command).

  1. At the terminal prompt typekeytooland press enter

    This should just display a list of commands and options.  This is to test if the keytool application is in the path. If not then it should be added or change to the java bin directory to launch the keytool application.

  2. Import the SelfSignedCert.der into the Java CA keystore. 

    The Java CA Keystore file will be found in the <java sdk/jdk>/jre/lib/security directory and is usually named cacerts.  Note: it is possible that during an update of the java code this file (cacerts) can get backed up and replaced with a new version that no longer has certificate manually imported into it.  This will cause the LDAP Authentication/Synchronization of Teaming to stop functioning.
  3. The command is:

    keytool -import -alias < ldap server dns name> -keystore <path to Java CA keystore> -file <certificate file>

    Example:

    keytool -import -alias ldap.allnet.com -keystore /etc/alternatives/java_sdk/jre/lib/security/cacerts -file /home/admin/SelfSignedCert.b64

  4. When prompted for a password, enterchangeitfor the password
  5. Accept the certificate import by answering yes.
  6. Close the terminal window

The certificate has now been imported into the keystore so that Teaming can use SSL for it's LDAP communication. The keytool application with the -list command can be used to see if the certificate was imported.

Example: keytool -list -keystore <keystore filename>

When prompted for the password, enter changeit.

Step Three: Modify the Teaming LDAP Configuration

 
For Teaming 1.x
 
First, restart the Teaming server so Tomcat will re-read the changes to the keystore file.  (Hint:  /etc/init.d/icecore restart)
 
For this step launch an Internet browser and login to the Teaming server as the administrator or admin. The Enterprise Administration portlet and the Teaming Administration portlet need to be added to the admin's portal page if they are not already.

First, modify the LDAP configuration under the Enterprise Administration portlet. This LDAP configuration handles the LDAP authentication portion of Teaming.

  1. Click on the Users tab

  2. Click on the Settings tab

  3. Under the Settings tab click on the Authentication tab

  4. Under the Authentication tab click on the LDAP tab

  5. Change the url from ldap to ldaps and the port from 389 to 636

    Example:

    From – ldap://ldap.allnet.com:389

    To – ldaps://ldap.allnet.com:636

  6. Click on Save

    After a moment a green bar across the top telling you the configuration was successful should appear.

  7. Click on the word Portal in the top right corner to close the portlet

  8. Click on Configure LDAP in the Teaming Administration portlet

  9. Expand the Connection option

  10. Change the url from ldap to ldaps and the port from 389 to 636

    Example:

    From – ldap://ldap.allnet.com:389/o=allnet

    To – ldaps://ldap.allnet.com:636/o=allnet

    Do not change the search base DN at the end of the line.

  11. Check Run Immediately, this will cause Teaming to do a synchronization and test the new configuration

  12. Click on Apply

    There will be a pause before the page start responding again. If it comes back without any errors then the synchronization worked.

  13. Click on the word Portal in the top right corner to close the portlet
For Teaming 2.x
 
First, restart the Teaming server so Tomcat will re-read the changes to the keystore file.  (Hint:  /etc/init.d/teaming restart)
 
For this step launch an Internet browser and login to the Teaming server as the administrator or admin.

Modify the LDAP configuration under the "Manage" menu option under the "Site Administration" section.

  1. Click on Configure LDAP
  2. Change the LDAP Server URL from ldap to ldaps and the port from 389 to 636
    Example:
    From – ldap://ldap.allnet.com:389
    To – ldaps://ldap.allnet.com:636
  3. Do not change any other fields.

  4. Check Run Immediately, this will cause Teaming to do a synchronization and test the new configuration

  5. Click on Apply

    There will be a LDAP dialog come up showing that it is working or not.

  6. Click on close to close the ldap configuration menu.

Additional Information

The Teaming server has now been configured to use SSL/TLS for the LDAP communication for synchronization and authentication against eDirectory. DSTRACE can be used to verify that it is using TLS during a Teaming login.