An LDAP user directory connection over SSL requires configuring your certificate database files.
Follow these steps:
Review the following points before configuring an LDAP user directory connection over SSL:
Important! Do not use Microsoft Internet Explorer to install certificates into your cert8.db database file.
To create the certificate database files, use the Mozilla Network Security Services (NSS) certutil application that is included with the Policy Server
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.
certutil -N -d certificate_database_directory
Creates the cert8.db, key3.db, and secmod.db certificate database files.
Specifies the directory in which the certutil tool is to create the certificate database files.
Note: If the file path contains spaces, bracket the path in quotes.
The utility prompts for a password to encrypt the database key.
NSS creates the required certificate database files:
Example: Create the Certificate Database Files
certutil -N -d C:\certdatabase
To add the root Certificate Authority (CA), use the Mozilla Network Security Services (NSS) certutil application, which is in the Policy Server.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
certutil -A -n alias -t trust_arguments -i root_CA_path -d certificate_database_directory
Adds a certificate to the certificate database.
Specifies an alias for the certificate.
Note: If the alias contains spaces, bracket the alias with quotes.
Specifies the trust attributes to apply to the certificate. The three available trust categories are expressed in this order: "SSL, email, object signing". In each category position, you can use zero or more of the following attribute arguments.
p
Valid peer.
P
Trusted peer. This argument implies p.
c
Valid CA.
T
Trusted CA to issue client certificates. This argument implies c.
C
Trusted CA to issue server certificates (SSL only). This argument implies c.
Important! This argument is required for the SSL trust category.
u
Certificate can be used for authentication or signing.
Specifies the path to the root CA file. The path includes the certificate name. The valid extensions for a certificate include cert, .cer, and .pem.
Note: If the file path contains spaces, bracket the path in quotes.
Specifies the path to the directory that contains the certificate database.
Note: If the file path contains spaces, bracket the path in quotes.
Example: Adding a Root CA to the Certificate Database
certutil -A -n "My Root CA" -t "C,," -i C:\certificates\cacert.cer -d C:\certdatabase
To enable communication over SSL, add the server certificate to the certificate. Use the Mozilla Network Security Services (NSS) certutil application, which is available with the Policy Server.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
certutil -A -n alias -t trust_arguments -i server_certificate_path -d certificate_database_directory
Adds a certificate to the certificate database.
Specifies an alias for the certificate.
Note: If the alias contains spaces, bracket the alias with quotes.
Specifies the trust argument. The three available trust categories for each certificate are expressed in this order: "SSL, email, object signing". In each category position, you can use zero or more of the following attribute arguments:
p
Valid peer.
P
Trusted peer. This argument implies p.
Important! This argument is required for the SSL trust category.
Specifies the path to the server certificate. The path includes the certificate name. The valid extensions for a certificate include.cert, .cer, and .pem.
Note: If the file path contains spaces, bracket the path in quotes.
Specifies the path to the directory that contains the certificate database.
Note: If the file path contains spaces, bracket the path in quotes.
NSS adds the server certificate to the certificate database.
Example: Adding a Server Certificate to the Certificate Database
certutil -A -n "My Server Certificate" -t "P,," -i C:\certificates\servercert.cer -d C:\certdatabase
To verify that the certificates are in the certificate database, use the Mozilla Network Security Services (NSS) certutil application. Policy Server includes this tool.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
certutil -L -d certificate_database_directory
Lists all of the certificates in the certificate database.
Specifies the path to the directory that contains the certificate database.
Note: If the file path contains spaces, bracket the path in quotes.
This command displays the root CA alias, the server certificate alias, and the trust attributes you specified when adding the certificates to the certificate database.
Example: List the Certificates in the Certificate Database
certutil -L -d C:\certdatabase
You configure an SSL connection to the user store help ensure that the Policy Server and user store communicate properly.
Follow these steps:
The user directory connection can communicate over SSL.
To communicate with the user directory over SSL, point the Policy Server to the certificate database.
Follow these steps:
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
Example: C:\certdatabase\cert8.db
Note: The key3.db file must be in the same directory as the cert8.db file.
The Policy Server can communicate with the user directory over SSL.
To determine whether the user directory and the Policy Server are communicating properly, be sure to verify the SSL connection
Follow these steps:
When SSL is properly configured, the Directory Content screen appears and lists the contents of the user directory.
Copyright © 2014 CA.
All rights reserved.
|
|