Description:

This is an updated version of TEC465307 describing how to setup an encrypted communication channel between the CA Single Sign On - Policy Server and the Domain Controller hosting the Active Directory (AD) to be integrated as SSO User Data Store.

This is accomplished by featuring the LDAPs (LDAP-Secure) interface provided by the DC (Domain Controller) and utilizing SSL as communication protocol. Issuing the needed x509-certificates will be accomplished by the embedded CA Directory's DXCertGen utility.

It is assumed that the Microsoft Certificate Services are installed and operational on any of the Domain Controllers.

OpenSSL libraries attached for convenience (openSSL.zip).

Note:

This document is valid only for CA SSO versions with embedded CA DIR r12 SP2 (r12.0.4076) and newer.

To find out the exact version you have in place please run this command from a cmd on your SSO Server:

dxserver version

For versions prior CA DIR r12 SP2 please use TEC465307.

Solution:

AD is integrated into the SSO Server by means of the embedded CA Directory's DXlink, also referred to as LDAP-Router.

By default, payload data transferred via LDAP is not encrypted. This causes sensitive data like user and application passwords being exposed in an unacceptable manner.

Mitigating this risk, DXlink can be configured accordingly to encrypt all data sent and received by utilizing the Active Directory's LDAPs interface and communicating over SSL.

To set up SSL between the SSO Server and the Directory and AD datastore, you need to complete the following steps:

1. Download MS-CA Root Certificate
   
   
   • On the SSO Server machine download OpenSSL, (openSSL.zip) for your convenience, attached to this document, or from its community site and unzip the archive to disk.
     
     With Internet Explorer navigate to the Certificate Server web page running on the Domain Controller
     
     http://hostname_DomainController/certsrv
     
     Once connected to the Certificate Server web page, please click the "Download a CA certificate, certificate chain, or CRL" option.
     
     
   • Click the "Base 64" radio button, and click the "Download CA certificate" link.
     
     
   • Save the CA certificate in the ..\certs folder, e.g. ..\certs\MS-Root_cert.cer
     
     
2. Convert the MS-CA Root Certificate into PEM format
   
   
• Open a cmd-prompt, cd to the openSSL folder and run the following command to convert this pfx file into a pem file:
  
  openssl x509 -in ..\certs\MS-Root_cert.cer -outform PEM -out ..\certs\CAcert.pem
  
  
3. Establish the Trust between the SSO Server and the Domain Controller
   
   
   • On the SSO Server map a network drive to the Domain Controller and copy the MS-CA Root Certificate to the embedded CA Directory's Trusted Root Certificates store
     
     copy ..\certs\CAcert.pem "%DXHOME%\config\ssld\CAcert.pem"
     
     
   • Import the MS-CA Root Certificate into the CA Directory's Trusted Root Certificates store open a cmd-prompt and run the following command
     
     DXCERTGEN -n "%DXHOME%\config\ssld\CAcert.pem" importca
     
     
4. Create the CA Directory Server DSA Certificates
   
   
• Open a cmd prompt and enter the following command:
  
  DXCERTGEN certs
  
  
5. Configure DXlink to utilize the LDAPs interface of AD
   
   

• Open the %dxhome%\config\knowledge\ad_name_router.dxc file and make sure it contains the following:

  address = tcp "ADServer1" port 636 auth-levels = anonymous, clear-password, ssl-auth link-flags = dsp-ldap, ssl-encryption, ms-ad

• Edit the %dxhome%\config\knowledge\PS_<servername>.dxc file

  auth-levels = anonymous, clear-password, ssl-auth

• Append to %dxhome%\config\servers\PS_<servername>.dxi file

  # sslsource "../ssld/default.dxc";

6. Configure the SSO Server to utilize SSL while communicating with the AD_userDIR
   
   
• From the Policy Manager edit the ps-ldap and AD user data store and ensure the "SSL Connection" check box is enabled.
  
  

  <Please see attached file for image>

  
  
  (Please note that the SSO Server and Policy Manager do not exchange any x509-keys, hence do not need any keystore by themself, but symmetrically encrypt communication with a random number agreed upon session initiation with the destination)
  
  
7. Testing and Verification
   
   
   • Shutdown the SSO Server service and the PS and PSTD services and restart accordingly

     net stop ssod dxserver stop all dxserver start all net start ssod

   • Start DXconsole and connect to the Router DSA

     telnet localhost 13379 set trace=x500;

   • Open the Policy Manager and start browsing the AD_userDIR
     
     
   • In the PS_<servername>.trace you should basically find the following sequence:

     ... > <- #4 (SSL) LDAP BIND-REQ ... > (Remote) -> #5 (SSL) [Router_AD] DXLINK BIND-REQ ... > (Remote) <- #5 (SSL) [Router_AD] DXLINK BIND-CONFIRM ... > (Remote) <- #5 (SSL) [Router_AD] DXLINK COMPARE-CONFIRM ... > -> #4 (SSL) LDAP BIND-CONFIRM ... > <- #4 (SSL) LDAP SEARCH-REQ ... > (Remote) -> #5 (SSL) [Router_AD] DXLINK SEARCH-REQ ...

     Alternatively you may also use a network sniffer like Wireshark to verify all communication is handled via SSL.
     
     
8. Test an SSL encrypted LDAP connection to Microsoft Active Directory using JXplorer (this is an optional step)
   
   
   • On the SSO Server
     
     make a backup of the current DXserver's offline trusted root CA store
     copy "%DXHOME%\config\ssld\trusted.pem" "%DXHOME%\config\ssld\trusted.pem.backup"
     
     
   • List the DXserver's trusted root CAs
     
     DXCERTGEN listca
     
     
   • Remove all trusted root CAs except the DXCertGenPKI
     
     DXCERTGEN -r 1 removeca
     (repeat until only DXCertGenPKI is listed)
     
     
   • Copy the resulting "%DXHOME%\config\ssld\trusted.pem" CA Directory-CA Root Certificate and the ..\certs\MS-Root_cert.pfx
     
     MS-CA Root Certificate to a temprorary location on the JXplorer host
     
     
   • Restore the DXserver's offline trusted root CA store
     
     copy "%DXHOME%\config\ssld\trusted.pem.backup" "%DXHOME%\config\ssld\trusted.pem"
     
     
   • On the JXplorer host
     
     enable the Certificates MMC Snap In Control:
     Start Menu -> Run -> mmc -> Console -> Add/Remove Snap-in -> Add -> Certificates -> Add -> Computer Account -> Local Computer -> Finish -> Close -> OK
     
     
   • Import the copied trusted.pem file and the MS-Root_cert.pfx by means of above Certificates-MMC into the local computer's "Trusted Root Certification Authorities" and "Personal" Certificate Store.
     
     
   • In JXplorer open "Advanced Keystore Options" from the main menu bar's "Security" option
     
     
   • Set CA/Server Keystore Type: Windows-ROOT
     
     
   • Set Client Keystore Type: Windows-MY
     
     
   • The other options are irrelevant, but must not be blank. OK to exit
     
     
   • Setup and establish a new connection pointing to the DC on port 636 with Security Level "SSL + User + Password"
     
     

     <Please see attached file for image>

     
     
     
   • Setup and establish a new connection pointing to the SSO Server on port 13389 with Security Level "SSL + User + Password" and Base DN o=PS
     
     
   • Setup and establish a new connection pointing to the SSO Server on port 13389 with Security Level "SSL + User + Password" and Base DN pointing to a DN in the AD (alike in the first test)
     
     If there are any issues, ensure time is in sync on all boxes involved.
     
     Sometimes it may be necessary to reinstall the PKI or even the complete Domain Controller box.