Before You Configure an LDAP Connection over SSL

CA SiteMinder® Federation Standalone Guide › User Directory Connections for Authentication › How to Connect to an LDAP User Directory Over SSL › Before You Configure an LDAP Connection over SSL

Before You Configure an LDAP Connection over SSL

Review the following points before configuring an LDAP user directory connection over SSL:

Verify that your directory server is SSL-enabled.
Note: For more information about configuring your directory server to communicate over SSL, refer to the vendor-specific documentation.
The Policy Server uses a Mozilla LDAP SDK to communicate with LDAP directories. As a result, the database files must be in the Netscape database version file format (cert8.db).
Important! Do not use Microsoft Internet Explorer to install certificates into your cert8.db database file.
(Active Directory) Considering the following points:
- If the user directory connection is configured with the AD namespace, the SSL process that is documented in the subsequent topics does not apply. The AD namespace uses the native Windows certificate repository when establishing an SSL connection. When configuring the AD namespace to communicate over SSL:
  - Verify that the user directory connection is configured for a secure connection. For more information, refer to Configure the User Directory Connection for SSL.
  - On the computer hosting the Active Directory instance, verify that the root CA certificate and the server certificate are added to the service certificate store.
  Note: For more information about configuring Active Directory to communicate over SSL, refer to the Microsoft documentation.

If the user directory connection was configured with the LDAP namespace, complete the process to configure the connection over SSL.

Create the Certificate Database Files

Thecertificate database files must be in the Netscape database file format (cert8.db). Use the Mozilla Network Security Services (NSS) certutil application that is installed with the Policy Server to create the certificate database files.

Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.

Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

Follow these steps:

From a command prompt, navigate to the installation bin directory.
Example: C:\Program Files\CA\SiteMinder\bin

Note: Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.
Enter the following command:
```
certutil -N -d certificate_database_directory
```
-N

Creates the cert8.db, key3.db, and secmod.db certificate database files.

-d certificate_database_directory

Specifies the directory in which the certutil tool is to create the certificate database files.

Note: If the file path contains spaces, bracket the path in quotes.

The utility prompts for a password to encrypt the database key.
Enter and confirm the password.
NSS creates the required certificate database files:
- cert8.db
- key3.db
- secmod.db

Example: Create the Certificate Database Files

certutil -N -d C:\certdatabase

Add the Root Certificate Authority to the Certificate Database

Add the root Certificate Authority (CA) to make it available for communication over SSL. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to add the root CA.

Follow these steps:

From a command prompt, navigate to the Policy Server installation bin directory.
Example: C:\Program Files\CA\SiteMinder\bin

Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
Run the following command to add the root CA to the database file:
```
certutil -A -n alias -t trust_arguments -i root_CA_path -d certificate_database_directory
```
-A

Adds a certificate to the certificate database.

-n alias

Specifies an alias for the certificate.

Note: If the alias contains spaces, bracket the alias with quotes.

-t trust_arguments

Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the root CA is trusted to issue SSL certificates. In each category position, you may use zero or more of the following attribute arguments.

p

Valid peer.

P

Trusted peer. This argument implies p.

c

Valid CA.

T

Trusted CA to issue client certificates. This argument implies c.

C

Trusted CA to issue server certificates (SSL only). This argument implies c.

Important! This is a required argument for the SSL trust category.

u

Certificate can be used for authentication or signing.

-i root_CA_path
Specifies the path to the root CA file. Consider the following:
- The path must include the certificate name.
- Valid extensions for a certificate include .cert, .cer, and .pem.
Note: If the file path contains spaces, bracket the path in quotes.
-d certificate_database_directory

Specifies the path to the directory that contains the certificate database.

Note: If the file path contains spaces, bracket the path in quotes.
NSS adds the root CA to the certificate database.

Example: Adding a Root CA to the Certificate Database

certutil -A -n "My Root CA"  -t "C,," -i C:\certificates\cacert.cer -d C:\certdatabase

Add the Server Certificate to the Certificate Database

Add the server certificate to the certificate database to make it available for communication over SSL. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to add the server certificate.

To add the server certificate to the certificate database

From a command prompt, navigate to the Policy Server installation bin directory.
Example: C:\Program Files\CA\SiteMinder\bin

Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
Run the following command to add the root certificate to the database file:
```
certutil -A -n alias -t trust_arguments -i server_certificate_path -d certificate_database_directory
```
-A

Adds a certificate to the certificate database.

-n alias

Specifies an alias for the certificate.

Note: If the alias contains spaces, bracket the alias with quotes.

-t trust_arguments

Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the certificate is trusted. In each category position, you may use zero or more of the following attribute arguments:

p

Valid peer.

P

Trusted peer. This argument implies p.

Important! This is a required argument for the SSL trust category.

-i server_certificate_path
Specifies the path to the server certificate. Consider the following:
- The path must include the certificate name.
- Valid extensions for a certificate include .cert, .cer, and .pem.
Note: If the file path contains spaces, bracket the path in quotes.
-d certificate_database_directory

Specifies the path to the directory that contains the certificate database.

Note: If the file path contains spaces, bracket the path in quotes.
NSS adds the server certificate to the certificate database.

Example: Adding a Server Certificate to the Certificate Database

certutil -A -n "My Server Certificate" -t "P,," -i C:\certificates\servercert.cer -d C:\certdatabase