Policy Server Guides › Policy Server Configuration Guide › User Directories › How to Configure an LDAP User Directory Connection over SSL

How to Configure an LDAP User Directory Connection over SSL

Configuring an LDAP user directory connection over SSL requires that you configure CA SiteMinder® to use your certificate database files.

Complete the following steps to configure the connection over SSL:

1. Perform steps required before you configure a connection over SSL.
2. Create the certificate database files
3. Add the root Certificate Authority (CA) to the certificate database
4. Add the server certificate to the certificate database
5. List the certifications in the certificate database
6. Configure the user directory connection for SSL
7. Point the Policy Server to the certificate database
8. Verify the SSL connection

Before You Configure a Connection over SSL

Review the following points before configuring an LDAP user directory connection over SSL:

• Verify that your directory server is SSL-enabled.

  Note: For more information about configuring your directory server to communicate over SSL, refer to the vendor-specific documentation.

• The Policy Server uses a Mozilla LDAP SDK to communicate with LDAP directories. As a result, the database files must be in the Netscape database version file format (cert8.db).

  Important! Do not use Microsoft Internet Explorer to install certificates into your cert8.db database file.

• (Active Directory) Considering the following points:
  • If the user directory connection is configured with the AD namespace, the SSL process that is documented in the subsequent topics does not apply. The AD namespace uses the native Windows certificate repository when establishing an SSL connection. When configuring the AD namespace to communicate over SSL:
    • Verify that the user directory connection is configured for a secure connection. For more information, refer to Configure the User Directory Connection for SSL.
    • On the computer hosting the Active Directory instance, verify that the root CA certificate and the server certificate are added to the service certificate store.

    Note: For more information about configuring Active Directory to communicate over SSL, refer to the Microsoft documentation.

  • If the user directory connection was configured with the LDAP namespace, complete the process to configure the connection over SSL.

Create the Certificate Database Files

Thecertificate database files must be in the Netscape database file format (cert8.db). Use the Mozilla Network Security Services (NSS) certutil application that is installed with the Policy Server to create the certificate database files.

Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.

Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

Follow these steps:

1. From a command prompt, navigate to the installation bin directory.

   Example: C:\Program Files\CA\SiteMinder\bin

   Note: Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.

2. Enter the following command:

   certutil -N -d certificate_database_directory
   

   -N

   Creates the cert8.db, key3.db, and secmod.db certificate database files.

   -d certificate_database_directory

   Specifies the directory in which the certutil tool is to create the certificate database files.

   Note: If the file path contains spaces, bracket the path in quotes.

   The utility prompts for a password to encrypt the database key.

3. Enter and confirm the password.

   NSS creates the required certificate database files:

   • cert8.db
   • key3.db
   • secmod.db

Example: Create the Certificate Database Files

certutil -N -d C:\certdatabase

Add the Root Certificate Authority to the Certificate Database

Add the root Certificate Authority (CA) to make it available for communication over SSL. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to add the root CA.

Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.

Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

Follow these steps:

1. From a command prompt, navigate to the Policy Server installation bin directory.

   Example: C:\Program Files\CA\SiteMinder\bin

   Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.

2. Run the following command to add the root CA to the database file:

   certutil -A -n alias -t trust_arguments -i root_CA_path -d certificate_database_directory
   

   -A

   Adds a certificate to the certificate database.

   -n alias

   Specifies an alias for the certificate.

   Note: If the alias contains spaces, bracket the alias with quotes.

   -t trust_arguments

   Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the root CA is trusted to issue SSL certificates. In each category position, you may use zero or more of the following attribute arguments.

   p

   Valid peer.

   P

   Trusted peer. This argument implies p.

   c

   Valid CA.

   T

   Trusted CA to issue client certificates. This argument implies c.

   C

   Trusted CA to issue server certificates (SSL only). This argument implies c.

   Important! This is a required argument for the SSL trust category.

   u

   Certificate can be used for authentication or signing.

   -i root_CA_path

   Specifies the path to the root CA file. Consider the following:

   • The path must include the certificate name.
   • Valid extensions for a certificate include .cert, .cer, and .pem.

   Note: If the file path contains spaces, bracket the path in quotes.

   -d certificate_database_directory

   Specifies the path to the directory that contains the certificate database.

   Note: If the file path contains spaces, bracket the path in quotes.

   NSS adds the root CA to the certificate database.

Example: Adding a Root CA to the Certificate Database

certutil -A -n "My Root CA"  -t "C,," -i C:\certificates\cacert.cer -d C:\certdatabase

Add the Server Certificate to the Certificate Database

Add the server certificate to the certificate database to make it available for communication over SSL. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to add the server certificate.

Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.

Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

To add the server certificate to the certificate database

1. From a command prompt, navigate to the Policy Server installation bin directory.

   Example: C:\Program Files\CA\SiteMinder\bin

   Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.

2. Run the following command to add the root certificate to the database file:

   certutil -A -n alias -t trust_arguments -i server_certificate_path -d certificate_database_directory
   

   -A

   Adds a certificate to the certificate database.

   -n alias

   Specifies an alias for the certificate.

   Note: If the alias contains spaces, bracket the alias with quotes.

   -t trust_arguments

   Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the certificate is trusted. In each category position, you may use zero or more of the following attribute arguments:

   p

   Valid peer.

   P

   Trusted peer. This argument implies p.

   Important! This is a required argument for the SSL trust category.

   -i server_certificate_path

   Specifies the path to the server certificate. Consider the following:

   • The path must include the certificate name.
   • Valid extensions for a certificate include .cert, .cer, and .pem.

   Note: If the file path contains spaces, bracket the path in quotes.

   -d certificate_database_directory

   Specifies the path to the directory that contains the certificate database.

   Note: If the file path contains spaces, bracket the path in quotes.

   NSS adds the server certificate to the certificate database.

Example: Adding a Server Certificate to the Certificate Database

certutil -A -n "My Server Certificate" -t "P,," -i C:\certificates\servercert.cer -d C:\certdatabase

List the Certificates in the Certificate Database

List the certificates to verify that they were added to the certificate database. Use the Mozilla Network Security Services (NSS) certutil application that is installed with the Policy Server to create the certificate database files.

Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.

Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

Follow these steps:

1. From a command prompt, navigate to the Policy Server installation bin directory.

   Example: C:\Program Files\CA\SiteMinder\bin

   Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.

2. Run the following command:

   certutil -L -d certificate_database_directory
   

   -L

   Lists all of the certificates in the certificate database.

   -d certificate_database_directory

   Specifies the path to the directory that contains the certificate database.

   Note: If the file path contains spaces, bracket the path in quotes.

   displays the root CA alias, the server certificate alias, and the trust attributes you specified when adding the certificates to the certificate database.

Example: List the Certificates in the Certificate Database

certutil -L -d C:\certdatabase

Configure the User Directory Connection for SSL

You configure the user store connection to be sure that an SSL connection is used when the Policy Server and user store communicate.

To configure the user store connection for SSL

1. Login to the Administrative UI.
2. Click Infrastructure, Directory.

   Objects related to user directories appear on the left.

3. Click User Directories.

   The User Directories screen appears. The table lists the names of existing user directory connections.

4. Click the name of the user directory connection you want.

   The user directory settings appear as read–only.

5. Scroll down and click Modify.

   The settings become active.

6. Select the Secure Connection option in the Directory Setup area and click Submit.

   The user directory connection is configured to communicate over SSL.

Point the Policy Server to the Certificate Database

Point the Policy Server to the certificate database to configure CA SiteMinder® to communicate with the user directory over SSL.

To point the Policy Server to the certificate database

1. Start the Policy Server Management Console.

   Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.

2. Click the Data tab.
3. Enter the path to the certificate database file in the Netscape Certificate Database File field.

   Example: C:\certdatabase\cert8.db

   Note: The key3.db file must be in the same directory as the cert8.db file.

4. Restart the Policy Server.

   The Policy Server is configured to communicate with the user directory over SSL.

Verify the SSL Connection

You verify the SSL connection to be sure that the user directory and the Policy Server are communicating over SSL.

Follow these steps:

1. Login to the Administrative UI.
2. Click Infrastructure, Directory.

   Objects related to user directories appear on the left.

3. Click User Directories.

   The User Directories screen appears. The table lists the names of existing user directory connections.

4. Click the name of the user directory connection you want.

   The user directory settings appear as read–only.

5. Click View contents.

   If SSL is properly configured, the Directory Content screen appears and lists the contents of the user directory.