How do you set up SSL server authentication with CA LDAP SERVER?
Article ID: 21867
Updated On:
Products
Issue/Introduction
Description:
The CA LDAP Server LDAPTEST script is intended for use with non-SSL connections. There is no CA LDAP Server test script available to test SSL ports. The best approach is to test with an LDAP application or one of the many LDAP browsers available such as JXPlorer, Softerra LDAP Browser or Symlabs LDAP Browser. JXPlorer is an open source ldap browser that can be used with CA LDAP server. It is not distributed by CA Technologies.
This document covers the SSL setup for server authentication between the CA LDAP Server and JXplorer(the client).
Solution:
LDAP Server SSL Setup and Configuration with JXplorer
The first two sections describe the CA ACF2(external security) and the CA LDAP SERVER setup. The third section describes the JXplorer installation and configuration for an SSL connection to CA LDAP Server. In this example JXplorer is the client and CA LDAP Server as the server.
*********************************************************************
** Section 1 **
** CA ACF2 Certificate/KEYRING Setup Steps **
*********************************************************************
** Create the CERTAUTH local CA Certificate
ACF
GENCERT CERTAUTH.LPARA SUBJ(CN='MVSLPARA' -
OU='Auditing Department' O='CA' C=US) -
LABEL(MVSDE28 CA)
** Create the LDAP Server server certificate
GENCERT LDAPR15.CERT SUBJ(CN='CALDAPSERVER' OU='CA' C=US) -
LABEL(LDAPServer) SIGNWITH(certauth Label(MVSLPARA CA))
** Create a KEYRING for CA LDAP Server STC logonid
** Connect the CERTAUTH and PERSONAL certificate to the KEYRING
SET PROFILE(USER) DIV(KEYRING)
INSERT LDAPR15.RING RINGNAME(LDAPR15Ring)
** Connect the LDAP Server certificate and the signing CERTAUTH certificate
to the LDAP Server Keyring.
CONNECT CERTDATA(CERTAUTH.LPARA) KEYRING(LDAPR15.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(LDAPR15.CERT) KEYRING(LDAPR15.RING) USAGE(PERSONAL) -
DEFAULT
** Create the Resource Class FACILITY rules for access to the Keyring
ACF
SET RESOURCE(FAC)
COMPILE * STORE
$KEY(IRR) TYPE(FAC)
DIGTCERT.LIST UID(UID for LDAP Server logonid) SERVICE(READ) ALLOW
DIGTCERT.LISTRING UID(UID for LDAP Server logonid) SERVICE(READ) ALLOW
** Export the CERTAUTH certificate from z/OS to a dataset
which can be FTP'd in BINary format to the PC running JXplorer as a .der file
ACF
set profile(user) div(certdata)
export CERTAUTH.LPARA dsn('secmf.certauth.LPARA') format(certder)
*********************************************************************
** Section 2 **
** LDAP Server Configuration Changes for SSL Server Authentication **
*********************************************************************
Make the following two changes to the slapd.conf for SSL:
1) Add ldaps://:2389 to the hosturls statement for SSL port
2) Uncomment the TLSKeyringName statement and specify the ringname of the z/OS KEYRING
EDIT /ldapr15/slapd.conf Columns 00001 00072
Command ===> Scroll ===> CSR
****** ***************************** Top of Data *****************************
.. ..
###############################################################
# What port(s) is LDAP to listen on
###############################################################
hosturls ldap://:389 ldaps://:2389
.. ..
.. ..
###############################################################
# These values are used *if* you are using certs
# stored on a keyring
###############################################################
TLSKeyringName LDAPR15Ring
# TLSCertificateLabel Name_Here
F1=Help F2=Split F3=Exit F5=Rfind F6=Rchange F7=Up
F8=Down F9=Swap F10=Left F11=Right F12=Cancel
********************************************************************* ** Section 3 ** ** Connecting to CA LDAP Server with JXplorer ** *********************************************************************
The following example demonstrates how to setup the JXPlorer LDAP Browser for use with CA LDAP Server r15.0. This is an example that shows how to display CA ACF2 logonid attributes using JXPlorer.
- Download JXplorer: http://jxplorer.org/
- Follow the installation instructions.
Add the Signing CERTAUTH certificate to the JXplorer Keystore
From JXplorer click on the "Security" tab, then click on "Trusted Servers and CAs"
<Please see attached file for image>
Next click on the "Add Certificate" button.
<Please see attached file for image>
Next find and select the certificate(.der) that was FTP'd to your PC.
<Please see attached file for image>
** Note that when adding the certificate you will be prompted
** for the password of the Keystore, the JXplorer default Keystore
** password is 'changeit".
After selecting the certificate to add the new certificate will be shown in the list of Trusted Server Certificates.
<Please see attached file for image>
Connect to CA LDAP Server with SSL with JXPlorer and browse a LOGONID.
Click on CONNECT,
<Please see attached file for image>
Enter the LDAP Server host name, CALDAPA.CA.com.
Enter the LDAP Server port, 2389 in this example.
Select Level: SSL + User + Password.
In User DN enter cn=userid, in this example USER002.
In Password, enter valid password for the USER002 userid specified.
Then click on OK button to connect.
<Please see attached file for image>
After connecting the following will be displayed Click on CALDAPA.CA.COM.
<Please see attached file for image>
From the list of CA ACF2 records, Click on 'lids' in the tree to display a list of CA ACF2 logonids.
<Please see attached file for image>
Click on a logonid to display the attributes.
<Please see attached file for image>
Display of logonid AAAUSERS:
<Please see attached file for image>
Environment
Component: ACFLDP
Attachments
Feedback
