How do you set up SSL server authentication with CA LDAP SERVER?
search cancel

How do you set up SSL server authentication with CA LDAP SERVER?

book

Article ID: 21867

calendar_today

Updated On: 10-10-2023

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC Top Secret Top Secret - LDAP LDAP SERVER FOR Z/OS

Issue/Introduction

The CA LDAP Server LDAPTEST script is intended for use with non-SSL connections. There is no CA LDAP Server test script available to test SSL ports. The best approach is to test with an LDAP application or one of the many LDAP browsers available such as JXPlorer, Softerra LDAP Browser or Symlabs LDAP Browser. JXPlorer is an open source ldap browser that can be used with CA LDAP server. It is not distributed by Broadcom.

This document covers the SSL setup for server authentication between the CA LDAP Server and JXplorer(the client).

Environment

Release:
Component: ACFLDP

Resolution

Table of Contents

Step 1: ACF2 Certificate/KEYRING Setup Steps

  1. Create the CERTAUTH local CA Certificate

    ACF GENCERT CERTAUTH.LPARA SUBJ(CN='MVSLPARA' - OU='Auditing Department' O='CA' C=US) -
    LABEL(MVSDE28 CA) 

  2. Create the LDAP Server server certificate

    GENCERT LDAPR15.CERT SUBJ(CN='CALDAPSERVER' OU='CA' C=US) -
    LABEL(LDAPServer) SIGNWITH(certauth Label(MVSLPARA CA))

  3. Create a KEYRING for CA LDAP Server STC logonid

    SET PROFILE(USER) DIV(KEYRING)
    INSERT LDAPR15.RING RINGNAME(LDAPR15Ring)

  4. Connect the CERTAUTH and PERSONAL certificate to the KEYRING

    CONNECT CERTDATA(CERTAUTH.LPARA) KEYRING(LDAPR15.RING) USAGE(CERTAUTH)
    CONNECT CERTDATA(LDAPR15.CERT) KEYRING(LDAPR15.RING) USAGE(PERSONAL) -
    DEFAULT

  5. Create the Resource Class FACILITY rules for access to the Keyring

    ACF
    SET R(FAC)
    COMPILE * STORE   
    $KEY(IRR) TYPE(FAC)                           
     DIGTCERT.LISTRING UID(UID for LDAP Server logonid) SERVICE(READ) ALLOW

  6. Export the CERTAUTH certificate from z/OS to a dataset which can be FTP'd in BINary format to the PC running JXplorer as a .der file

    ACF                                                                 
    SET P(USER) DIV(CERTDATA)                                    
    EXPORT CERTAUTH.LPARA DSN('secmf.certauth.LPARA') FORMAT(CERTDER)

Step 2: LDAP Server Configuration Changes for SSL Server Authentication

  1. Make the following two changes to the slapd.conf for SSL:

    1. Add ldaps://:2389 to the hosturls statement for SSL port
    2. Uncomment the TLSKeyringName statement and specify the ringname of the z/OS KEYRING
 
EDIT                       /ldapr15/slapd.conf             Columns 00001 00072
Command ===>                                                   Scroll ===> CSR 
****** ***************************** Top of Data *****************************
 ..  ..
 
############################################################### 
#       What port(s) is LDAP to listen on                       
############################################################### 
hosturls ldap://:389 ldaps://:2389                              
                                                                
 ..  ..
 
 ..  ..
 
###############################################################    
#       These values are used *if* you are using certs             
#       stored on a keyring                                        
###############################################################    
TLSKeyringName       LDAPR15Ring                                   
# TLSCertificateLabel  Name_Here   
                                
 F1=Help      F2=Split     F3=Exit      F5=Rfind     F6=Rchange   F7=Up  
 F8=Down      F9=Swap     F10=Left     F11=Right    F12=Cancel

Step 3: Connecting to CA LDAP Server with JXplorer

The following example demonstrates how to setup the JXPlorer LDAP Browser for use with CA LDAP Server r15.0. This is an example that shows how to display ACF2 logonid attributes using JXPlorer.

  1. Download JXplorer at jxplorer.org and follow the installation instructions.

  2. Add the Signing CERTAUTH certificate to the JXplorer Keystore:

    1. From JXplorer click on the "Security" tab, then click on "Trusted Servers and CAs"
    2. Click on the "Add Certificate" button.
    3. Find and select the certificate(.der) that was FTP'd to your PC.
      Note that when adding the certificate you will be prompted for the password of the Keystore, the JXplorer default Keystore password is: changeit
    4. After selecting the certificate to add the new certificate will be shown in the list of Trusted Server Certificates.

  3. Connect to CA LDAP Server with SSL with JXPlorer and browse a LOGONID:
    1. Click on CONNECT
    2. Enter the LDAP Server host name, example: CALDAPA.CA.com.
    3. Enter the LDAP Server port that was configured in slapd.conf, 2389 in this example.
    4. Select Level: SSL + User + Password.
    5. In User DN enter cn=userid, in this example USER002.
    6. In Password, enter valid password for the userid specified.
    7. Click on OK button to connect.

 

Powered by Wolken Software