Configuring an LDAP user directory connection over SSL requires that you configure CA SiteMinder® to use your certificate database files.
Complete the following steps to configure the connection over SSL:
Review the following points before configuring an LDAP user directory connection over SSL:
Note: For more information about configuring your directory server to communicate over SSL, refer to the vendor-specific documentation.
Important! Do not use Microsoft Internet Explorer to install certificates into your cert8.db database file.
Note: For more information about configuring Active Directory to communicate over SSL, refer to the Microsoft documentation.
Thecertificate database files must be in the Netscape database file format (cert8.db). Use the Mozilla Network Security Services (NSS) certutil application that is installed with the Policy Server to create the certificate database files.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.
certutil -N -d certificate_database_directory
Creates the cert8.db, key3.db, and secmod.db certificate database files.
Specifies the directory in which the certutil tool is to create the certificate database files.
Note: If the file path contains spaces, bracket the path in quotes.
The utility prompts for a password to encrypt the database key.
NSS creates the required certificate database files:
Example: Create the Certificate Database Files
certutil -N -d C:\certdatabase
Add the root Certificate Authority (CA) to make it available for communication over SSL. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to add the root CA.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
certutil -A -n alias -t trust_arguments -i root_CA_path -d certificate_database_directory
Adds a certificate to the certificate database.
Specifies an alias for the certificate.
Note: If the alias contains spaces, bracket the alias with quotes.
Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the root CA is trusted to issue SSL certificates. In each category position, you may use zero or more of the following attribute arguments.
p
Valid peer.
P
Trusted peer. This argument implies p.
c
Valid CA.
T
Trusted CA to issue client certificates. This argument implies c.
C
Trusted CA to issue server certificates (SSL only). This argument implies c.
Important! This is a required argument for the SSL trust category.
u
Certificate can be used for authentication or signing.
Specifies the path to the root CA file. Consider the following:
Note: If the file path contains spaces, bracket the path in quotes.
Specifies the path to the directory that contains the certificate database.
Note: If the file path contains spaces, bracket the path in quotes.
NSS adds the root CA to the certificate database.
Example: Adding a Root CA to the Certificate Database
certutil -A -n "My Root CA" -t "C,," -i C:\certificates\cacert.cer -d C:\certdatabase
Add the server certificate to the certificate database to make it available for communication over SSL. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to add the server certificate.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
To add the server certificate to the certificate database
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
certutil -A -n alias -t trust_arguments -i server_certificate_path -d certificate_database_directory
Adds a certificate to the certificate database.
Specifies an alias for the certificate.
Note: If the alias contains spaces, bracket the alias with quotes.
Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the certificate is trusted. In each category position, you may use zero or more of the following attribute arguments:
p
Valid peer.
P
Trusted peer. This argument implies p.
Important! This is a required argument for the SSL trust category.
Specifies the path to the server certificate. Consider the following:
Note: If the file path contains spaces, bracket the path in quotes.
Specifies the path to the directory that contains the certificate database.
Note: If the file path contains spaces, bracket the path in quotes.
NSS adds the server certificate to the certificate database.
Example: Adding a Server Certificate to the Certificate Database
certutil -A -n "My Server Certificate" -t "P,," -i C:\certificates\servercert.cer -d C:\certdatabase
List the certificates to verify that they were added to the certificate database. Use the Mozilla Network Security Services (NSS) certutil application that is installed with the Policy Server to create the certificate database files.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
certutil -L -d certificate_database_directory
Lists all of the certificates in the certificate database.
Specifies the path to the directory that contains the certificate database.
Note: If the file path contains spaces, bracket the path in quotes.
displays the root CA alias, the server certificate alias, and the trust attributes you specified when adding the certificates to the certificate database.
Example: List the Certificates in the Certificate Database
certutil -L -d C:\certdatabase
You configure the user store connection to be sure that an SSL connection is used when the Policy Server and user store communicate.
To configure the user store connection for SSL
Objects related to user directories appear on the left.
The User Directories screen appears. The table lists the names of existing user directory connections.
The user directory settings appear as read–only.
The settings become active.
The user directory connection is configured to communicate over SSL.
Point the Policy Server to the certificate database to configure CA SiteMinder® to communicate with the user directory over SSL.
To point the Policy Server to the certificate database
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
Example: C:\certdatabase\cert8.db
Note: The key3.db file must be in the same directory as the cert8.db file.
The Policy Server is configured to communicate with the user directory over SSL.
You verify the SSL connection to be sure that the user directory and the Policy Server are communicating over SSL.
Follow these steps:
Objects related to user directories appear on the left.
The User Directories screen appears. The table lists the names of existing user directory connections.
The user directory settings appear as read–only.
If SSL is properly configured, the Directory Content screen appears and lists the contents of the user directory.
Copyright © 2013 CA.
All rights reserved.
|
|