Description:
This is an updated version of TEC465307 describing how to setup an encrypted communication channel between the CA Single Sign On - Policy Server and the Domain Controller hosting the Active Directory (AD) to be integrated as SSO User Data Store.
This is accomplished by featuring the LDAPs (LDAP-Secure) interface provided by the DC (Domain Controller) and utilizing SSL as communication protocol. Issuing the needed x509-certificates will be accomplished by the embedded CA Directory's DXCertGen utility.
It is assumed that the Microsoft Certificate Services are installed and operational on any of the Domain Controllers.
OpenSSL libraries attached for convenience (openSSL.zip).
Note:
This document is valid only for CA SSO versions with embedded CA DIR r12 SP2 (r12.0.4076) and newer.
To find out the exact version you have in place please run this command from a cmd on your SSO Server:
dxserver version
For versions prior CA DIR r12 SP2 please use TEC465307.
Solution:
AD is integrated into the SSO Server by means of the embedded CA Directory's DXlink, also referred to as LDAP-Router.
By default, payload data transferred via LDAP is not encrypted. This causes sensitive data like user and application passwords being exposed in an unacceptable manner.
Mitigating this risk, DXlink can be configured accordingly to encrypt all data sent and received by utilizing the Active Directory's LDAPs interface and communicating over SSL.
To set up SSL between the SSO Server and the Directory and AD datastore, you need to complete the following steps:
address = tcp "ADServer1" port 636 auth-levels = anonymous, clear-password, ssl-auth link-flags = dsp-ldap, ssl-encryption, ms-ad
auth-levels = anonymous, clear-password, ssl-auth
# sslsource "../ssld/default.dxc";
<Please see attached file for image>
net stop ssod dxserver stop all dxserver start all net start ssod
telnet localhost 13379 set trace=x500;
... > <- #4 (SSL) LDAP BIND-REQ ... > (Remote) -> #5 (SSL) [Router_AD] DXLINK BIND-REQ ... > (Remote) <- #5 (SSL) [Router_AD] DXLINK BIND-CONFIRM ... > (Remote) <- #5 (SSL) [Router_AD] DXLINK COMPARE-CONFIRM ... > -> #4 (SSL) LDAP BIND-CONFIRM ... > <- #4 (SSL) LDAP SEARCH-REQ ... > (Remote) -> #5 (SSL) [Router_AD] DXLINK SEARCH-REQ ...Alternatively you may also use a network sniffer like Wireshark to verify all communication is handled via SSL.
<Please see attached file for image>