How do you set up SSL server authentication with CA LDAP SERVER?
search cancel

How do you set up SSL server authentication with CA LDAP SERVER?

book

Article ID: 21867

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC 24X7 High-Availability Manager for DB2 for z/OS Batch Processor Compile QQF Data Compressor for DB2 for z/OS CA Unicenter NSM RC/Update for DB2 for z/OS DB2 TOOLS- DATABASE MISC PanApt PanAudit Top Secret Top Secret - LDAP

Issue/Introduction

Description:

The CA LDAP Server LDAPTEST script is intended for use with non-SSL connections. There is no CA LDAP Server test script available to test SSL ports. The best approach is to test with an LDAP application or one of the many LDAP browsers available such as JXPlorer, Softerra LDAP Browser or Symlabs LDAP Browser. JXPlorer is an open source ldap browser that can be used with CA LDAP server. It is not distributed by CA Technologies.

This document covers the SSL setup for server authentication between the CA LDAP Server and JXplorer(the client).

Solution:

LDAP Server SSL Setup and Configuration with JXplorer

The first two sections describe the CA ACF2(external security) and the CA LDAP SERVER setup. The third section describes the JXplorer installation and configuration for an SSL connection to CA LDAP Server. In this example JXplorer is the client and CA LDAP Server as the server.

*********************************************************************
**                          Section 1                              **
**                  CA ACF2 Certificate/KEYRING Setup Steps        **
*********************************************************************
 
** Create the CERTAUTH local CA Certificate
 
ACF
GENCERT CERTAUTH.LPARA SUBJ(CN='MVSLPARA' -
OU='Auditing Department' O='CA' C=US) -
LABEL(MVSDE28 CA) 
 
** Create the LDAP Server server certificate
 
GENCERT LDAPR15.CERT SUBJ(CN='CALDAPSERVER' OU='CA' C=US) -
LABEL(LDAPServer) SIGNWITH(certauth Label(MVSLPARA CA))     
 
 
** Create a KEYRING for CA LDAP Server STC logonid
** Connect the CERTAUTH and PERSONAL certificate to the KEYRING
 
SET PROFILE(USER) DIV(KEYRING)     
INSERT LDAPR15.RING RINGNAME(LDAPR15Ring)
 
** Connect the LDAP Server certificate and the signing CERTAUTH certificate
      to the LDAP Server Keyring.
   
CONNECT CERTDATA(CERTAUTH.LPARA) KEYRING(LDAPR15.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(LDAPR15.CERT) KEYRING(LDAPR15.RING) USAGE(PERSONAL) -
DEFAULT
 
** Create the Resource Class FACILITY rules for access to the Keyring
 
ACF
SET RESOURCE(FAC)
COMPILE * STORE   
$KEY(IRR) TYPE(FAC)                           
DIGTCERT.LIST     UID(UID for LDAP Server logonid) SERVICE(READ) ALLOW
DIGTCERT.LISTRING UID(UID for LDAP Server logonid) SERVICE(READ) ALLOW
 
** Export the CERTAUTH certificate from z/OS to a dataset 
which can be FTP'd in BINary format to the PC running JXplorer as a .der file
 
ACF                                                                 
set profile(user) div(certdata)                                      
export CERTAUTH.LPARA dsn('secmf.certauth.LPARA') format(certder)
*********************************************************************
**                            Section 2                            **
** LDAP Server Configuration Changes for SSL Server Authentication **
*********************************************************************
 
Make the following two changes to the slapd.conf for SSL:
 
 1) Add ldaps://:2389 to the hosturls statement for SSL port
 2) Uncomment the TLSKeyringName statement and specify the ringname of the z/OS KEYRING
 
EDIT                       /ldapr15/slapd.conf             Columns 00001 00072
Command ===>                                                   Scroll ===> CSR 
****** ***************************** Top of Data *****************************
 ..  ..
 
############################################################### 
#       What port(s) is LDAP to listen on                       
############################################################### 
hosturls ldap://:389 ldaps://:2389                              
                                                                
 ..  ..
 
 ..  ..
 
###############################################################    
#       These values are used *if* you are using certs             
#       stored on a keyring                                        
###############################################################    
TLSKeyringName       LDAPR15Ring                                   
# TLSCertificateLabel  Name_Here   
                                
 F1=Help      F2=Split     F3=Exit      F5=Rfind     F6=Rchange   F7=Up  
 F8=Down      F9=Swap     F10=Left     F11=Right    F12=Cancel 
*********************************************************************
**                             Section 3                           **
**            Connecting to CA LDAP Server with JXplorer           **
*********************************************************************

The following example demonstrates how to setup the JXPlorer LDAP Browser for use with CA LDAP Server r15.0. This is an example that shows how to display CA ACF2 logonid attributes using JXPlorer.

  1. Download JXplorer: http://jxplorer.org/

  2. Follow the installation instructions.

Add the Signing CERTAUTH certificate to the JXplorer Keystore

From JXplorer click on the "Security" tab, then click on "Trusted Servers and CAs"

<Please see attached file for image>

Figure 1

Next click on the "Add Certificate" button.

<Please see attached file for image>

Figure 2

Next find and select the certificate(.der) that was FTP'd to your PC.

<Please see attached file for image>

Figure 3

** Note that when adding the certificate you will be prompted
** for the password of the Keystore, the JXplorer default Keystore
** password is 'changeit".

After selecting the certificate to add the new certificate will be shown in the list of Trusted Server Certificates.

<Please see attached file for image>

Figure 4

Connect to CA LDAP Server with SSL with JXPlorer and browse a LOGONID.

Click on CONNECT,

<Please see attached file for image>

Figure 5
Enter the LDAP Server host name, CALDAPA.CA.com.
Enter the LDAP Server port, 2389 in this example.
Select Level: SSL + User + Password.
In User DN enter cn=userid, in this example USER002.
In Password, enter valid password for the USER002 userid specified.
Then click on OK button to connect.

<Please see attached file for image>

Figure 6

After connecting the following will be displayed Click on CALDAPA.CA.COM.

<Please see attached file for image>

Figure 7

From the list of CA ACF2 records, Click on 'lids' in the tree to display a list of CA ACF2 logonids.

<Please see attached file for image>

Figure 8

Click on a logonid to display the attributes.

<Please see attached file for image>

Figure 9

Display of logonid AAAUSERS:

<Please see attached file for image>

Figure 10

Environment

Release:
Component: ACFLDP

Attachments

1558709175060000021867_sktwi1f5rjvs16rdr.gif get_app
1558709172828000021867_sktwi1f5rjvs16rdq.gif get_app
1558709170956000021867_sktwi1f5rjvs16rdp.gif get_app
1558709169205000021867_sktwi1f5rjvs16rdo.gif get_app
1558709167325000021867_sktwi1f5rjvs16rdn.gif get_app
1558709165490000021867_sktwi1f5rjvs16rdm.gif get_app
1558709161457000021867_sktwi1f5rjvs16rdl.gif get_app
1558709159633000021867_sktwi1f5rjvs16rdk.gif get_app
1558709158008000021867_sktwi1f5rjvs16rdj.gif get_app
1558709156124000021867_sktwi1f5rjvs16rdi.gif get_app