Symantec™ VIP Enterprise Gateway - How to configure LDAP over SSL

book

Article ID: 178854

calendar_today

Updated On:

Products

VIP Enterprise Gateway

Issue/Introduction

 Symantec™ VIP Enterprise Gateway - How to configure LDAP over SSL

Resolution

This article walks you through how to configure a secure connection between your VIP Enterprise Gateway and your Windows Active Directory server.

After installing the VIP Enterprise Gateway, setting up a user store is required to authenticate users to Active Directory for first-factor authentications. Symantec recommends using LDAPS as a best practice to encrypt communications between the VIP Enterprise Gateway and AD. (See the VIP Enterprise Gateway Installation & Configuration guide for information on adding a user store).

If you are using a private Certificate Authority (i.e. Enterprise Root CA) in your environment, install the Root CA and Intermediate CA certificates in the “Trusted CA Store” on each VIP Enterprise Gateway instance. 

If you do not have a private CA in your environment, export the Active Directory certificate, then install the certificate in the “Trusted CA Store” within VIP Enterprise Gateway. 

Verify the Root CA exists in the Root CA store and the Intermediate CA exists in the Intermediate CA store on the operating system.

Note: An Active Directory certificate is automatically created when you install and configure AD DS on your Windows server. The certificate is created even if you do not have a private CA in your environment.  

The AD Certificate to be used for LDAPS must satisfy the following 3 requirements (source: Microsoft MSDN):

• The Certificate must be valid for the purpose of Server Authentication. This means that it must also contain the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1
• The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine or CA server.
• The host machine account must have access to the private key.

With a private CA

  1. Export your Root CA and Intermediate CA certificates from your private CA and save them to a network share.
  2. Login to your VIP Enterprise Gateway server(s) and click on the “Settings” tab.
  3. Click on the “Trusted CA Certificate” link on the left-hand side of your screen.
  4. Click on the “Add Certificate” button.
  5. Click on "Browse" to locate and install your Root CA certificate first.​
  6. Click on "Browse" to locate and install your Intermediate CA certificate second.
  7. Click on the “Submit” button to complete the certificate import process.
  8. Click on “Save Changes” at the bottom to save your changes.
  9. Restart you VIP Enterprise Gateway services.
  10. Done!

 

Without a private CA

  1. Open a Microsoft Management Console (MMC) window from your Domain Controller.
  • Click on the “Start” button
  • Click on “Run…”
  • Type “mmc” and click “OK”
  1. Click on “File” and select “Add/Remove Snap-in…”
  2. Click on “Certificates” in the list of available Snap-ins and then click “Add.”
  3. Select “Computer account” and then click on “Next.”
  4. Do not make any changes to this screen and click on “Finish.”
  5. Click “OK”
  6. Click on the arrow next to “Certificates (Local Computer)” to expand the list.
  7. Click on the arrow next to “Personal” to expand the list and then select the “Certificates” folder.
  8. Find and export the Domain Controller certificate from the certificate store.
  • Right-click on the Domain Controller certificate, go to “All Tasks” and select “Export”
  • Click on “Next”
  • Leave the selection at “DER encoded binary” and then click on “Next”
  • Browse to the desired directory, type a name for the certificate, and then click on “Save”
  • Click “Next”
  • Click on “Finish”
  • Wait for the notification that says, “The export was successful.” and click “OK”
  1. Login to your VIP Enterprise Gateway server(s) and click on the “Settings” tab.
  2. Click on the “Trusted CA Certificate” link on the left-hand side of your screen.
  3. Click on the “Add Certificate” button.
  4. Click on the “Browse” button and locate your Root CA certificate first, and then add your Intermediate CA certificate. Be sure to give each CA certificate an alias to differentiate between the two certificates.
  5. Click on the “Submit” button to complete the certificate import process.
  6. Click on “Save Changes” at the bottom to save your changes.
  7. Restart your VIP Enterprise Gateway services.
  8. Done!