Encrypt the Connection to the LDAP Server Using GSSAPI

Setting Up LDAP Authentication › Encrypt the Connection to the LDAP Server Using GSSAPI

Encrypt the Connection to the LDAP Server Using GSSAPI

CA Single Sign-On supports encrypted connections using DIGEST-MD5 or GSSAPI. When you use an encrypted connection to the directory server, you do not have to use a service account to bind to the LDAP server (the UserBind parameter that you set in the Single Sign-On Configuration Tool).

To use GSSAPI for encryption, you must change some settings in a configuration file.

Follow these steps:

Log in to the server where CA Performance Center or a CA data source product is installed.
Log in as root or with the 'sudo' command.

Change to the following directory:

[Installation Dir]/webapps/sso/Configuration/

Open the krb5.conf file in that directory for editing.
Set the following required parameters:
```
[libdefaults]
        default_realm = CA.COM
[realms]
        CA.COM  = {
               kdc = EXAMPLE.CA.COM
               default_domain = CA.COM
}

[domain_realm]
       .CA.COM = CA.COM
}
```
where:

[libdefaults]

Contains default values for the Kerberos V5 library.

default_realm

Maps subdomains and domain names to Kerberos realm names. Lets programs determine the realm for a host, based on its fully qualified domain name. In this example, the default realm is CA.COM.

realms

Contains information about Kerberos realm names, which describe the location of Kerberos servers and include other realm-specific information.

kdc

Is the Kerberos key distribution center to support authentication services. For example, EXAMPLE.CA.COM.

default_domain

Is the default IP domain. For example, CA.COM.

Note: Your Active Directory or LDAP Administrator can probably provide you with a krb5.conf file or help you to create one.
Save your changes.
Now follow the steps in Enable LDAP Authentication Using an Encryption Mechanism to configure LDAP authentication with CA Single Sign-On.