How to Configure DualShield to Connect to AD via LDAPS?
To connect DualShield to Active Directory via LDAP over SSL (LDAPS), you must tell your DualShield server to trust your AD server. In other words, you must import the CA certificate that was used to sign the server certificate of your AD server into the keystore of your DualShield server as a trusted root certificate.
First of all, make sure that your AD server is fully configured to accept SSL connection. To verify that your AD server is enabled with LDAPS connection, you can run a Microsoft support tool LDP.EXE on your AD server. You should see the following output:
The article below has detailed instructions of how to Configure Active Directory Authentication with LDAP over SSL:Configure Active Directory Authentication with LDAP over SSL
You can also look at MS TechNet LDAP over SSL (LDAPS) Certificate for enabling LDAPS for domain controllers using a single-tier or multi-tier CA hierarchy.
It is also worth reading "How to enable LDAP over SSL with a third-party certification authority".
Now that your AD server is configured to accept LDAPS connection, you need to export the CA certificate from your AD server.
The CA used to sign the LDAPS certificate is not necessary to be the one of your Certification Authority, so the safe way to check the CA is,
- Open Local Computer Certificate Console on your DC,
- Locate the LDAPS certificate, which should include the Server Authentication (126.96.36.199.188.8.131.52.1) object identifier.
Normally it has "DomainController" as its Certificate Template Name,
The most important is, the Active Directory fully qualified domain name of the domain controller (for example, povm2k3svr.parkoffice.com) must appear in one of the following places: The Common Name (CN) in the Subject field.
- Double click the certificate, go to the tab "Cetification Path",
In our example, the CA to sign the LDAPS certificate is the highlighted one "ca".
Select the CA certificate, click View Certificate.
The Certificate dialog box appears.
- Select the Details tab.
Click Copy to file.
The Certificate Export Wizard appears.
The Export File Format page appears.
Select the Base-64 encoded X.509 (CER) file format.
The File to Export page appears.
To save the certificate file to the default location, in the File Name text box, type a name for the certificate.
To select a different location to save the file, click Browse. Select the location and type a file name for the certificate.
For example, cacert.cer.
The Completing the Certificate Export Wizard page appears.
- Review the certificate information. Click Finish.
You can double check the output ca by running LDP.exe on another machine which is not DC. if the ca is not in your Trusted Root Certification Authorities (either Current User or Local Computer), you are bound to get
Next, you need to import the CA certificate into your DualShield's keystore. DualShield's keystore is a JAVA keystore and there is a tool included in the DualShield that can be used to import certificates. Follow the steps below:
you should now see the Portecle's user interface:
- Select "File | Open CA Certs Keystore"
- Enter the default password: "changeit"
- Select "Tools | Import Trusted Certificate" and import your CA certificate
Mind you, if you can double click the file portecle.jar to run this utility, then it is very likely that you have JRE installed on this machine. Generally this JRE is NOT the one we used in DualShield. In that case, please choose the menu "Open Keystore File..." instead, then locate the file "cacerts" under DualShield installation folder.
Alternatively, you can import a root or intermediate CA certificate to an existing Java keystore with following command
C:\Program Files\Deepnet DualShield\jre\bin\keytool -import -trustcacerts -alias root -file yourca.crt -keystore C:\Program Files\Deepnet DualShield\jre\lib\security\cacerts
Once you have successfully import your AD's CA certificate into your DualShield's keystore, restart the DualShield server.
Finally, in DualShield, modify the LDAP connection of your Identity Source that's connected to your AD server.