search cancel

How to configure Spectrum to authenticate with Secure LDAP (LDAPS)

book

Article ID: 189496

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

How to configure Spectrum to authenticate with Secure LDAP (LADPS)

Environment

Release : 10.3.x, 10.4.x

Component : SPCOCK: Spectrum OneClick

Resolution

1.  Import the Signed Active Directory Server Certificate into the OneClick Server. 

(You can verify which keystore OneClick is using for the purposes of LDAP Configuration by viewing the SPECROOT\tomcat\bin\OneClickService.conf file



IMPORTANT:   Before saving any LDAP\LDAPS Configuration settings ensure you have an account that is a Spectrum SuperUser and you have validated the internal Spectrum password for this account.    This account type will bypass LDAP authentication if the LDAP server is unavailable.

Once the LDAPS settings have been configured test the connection before saving it:



If the connection returns successful you can save the configuration:



Steps to Enable LDAPS:

1.  Change LDAP Configuration with the host name and port (the well defined port is 636) for LDAPS and enable SSL.  When using SSL you cannot specify an IP Address.
 
NOTEIf using enabled SSL for LDAP and test connection fails after importing the certificate, it is possible the port is other than 636. Check with your LDAP/AD team to verify the correct SSL port number. 

2.  Add the LDAP Signed Certificate to the OneClick Keystore.    (This can be done via the OneClick UI, Keytool.exe or an SSL management tool such as Portecle)







Additional Information

Example Keytool Command to import the LDAP certificate:

./keytool -import -alias ldaps -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file certificate_filename

LDAP transmits communications in Clear Text, and LDAPS communication is encrypted and secure.

Lightweight Directory Access Protocol
http://msdn.microsoft.com/en-us/library/windows/desktop/aa367008(v=vs.85).aspx

Implementing LDAPS (LDAP over SSL)
http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx

Attachments