How can I configure a DXLINK connection within r12.0SP1 DXmanager?

book

Article ID: 52590

calendar_today

Updated On:

Products

DIRECTORY SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description

This document explains how to add a DXlink (connection to a third party LDAP server) connection using r12.0SP1 DXmanager.

The items required for a successful DXlink connection are:

  1. A new namespace to be configured.
  2. Hostname or IP address details and TCP port of the third party LDAP server - This host will need to be created within DXmanager.
  3. A set of credentials that exist within the third party LDAP server.

Once you have the above information, please find the configuration procedure below.

Solution

Step 1: Start DXmanager

Start an Internet Explorer browser and type in your DXmanager URL. For windows, the URL is:

https://hostname:8443/dxmanager

Once the DXmanager login screen is displayed, login using the "DXmanager" set of credentials.

When the DXmanager UI has loaded, click the "Maps" tab and select the "namespace" map. This will present you with the currently configured DXmanager configuration.

<Please see attached file for image>

Figure 1

In the existing DXmanager configuration, there is a null prefix router and a data DSA known as "o=Democorp,c=au" configured. We will be adding to this existing configuration.

Step 2: Edit the configuration

Left click the arrow of the "Configuration" button which is in the top right corner of the screen and select the "Edit" option.

<Please see attached file for image>

Figure 2

Once DXmanager has entered edit mode, you will see a confirmation message displayed at the top of the DXmanager UI that reads:

<Please see attached file for image>

Figure 3

Step 3: Create a new namespace

In order for the DIT structure from the third party LDAP server to be displayed within the CA Directory DIT structure, a new namespace has to be created for it. This namespace serves as an anchor point within the CA Directory DIT for the third party LDAP server.

To create a new namespace follow the steps below:

  1. Switch the map to namespace mode (if it's not already).
  2. Move the mouse over the "c=AU" namespace and then click the right mouse button. Select the "Add a new partition" option.
  3. The "New Namespace Partition" configuration screen is displayed.

Please fill out the configuration options as per the table below:

General Tab:

SettingValue
NameActiveDirectory1
(this is an example placeholder name)
Prefix o=AD1,c=AU
(This is the level in the DIT where your third party LDAP server is going to be anchored to)
Data Store Size (MB) 0
(override the default data store size and define the size as 0)


<Please see attached file for image>

Figure 4

Connections Tab:

SettingValue
Port 389
(This is the TCP port that the third party LDAP Directory server is listening on)


<Please see attached file for image>

Figure 5

Console Tab:

SettingValue
Console Port Null
Remote Console Port Null


<Please see attached file for image>

Figure 6

Monitoring Tab:

SettingValue
SNMP Port 389


<Please see attached file for image>

Figure 7

Once you have configured the details of your third party LDAP server, please click the OK button to update the configuration. When the configuration has been successfully updated, the following confirmation message will be displayed.

<Please see attached file for image>

Figure 8

Once the configuration is updated, you will see the following namespace design:

<Please see attached file for image>

Figure 9

Please note: The reason why the "o=AD1,c=au" namespace is greyed out is due to the namespace not being instantiated on any host machine.

Step 4: Create the host LDAP server

The next step is to create the host server within the DXmanager "Topology" map. This provides the physical host details where the LDAP server is running.

To create the host LDAP server, follow the steps below:

  1. Switch to the "Topology" map.
  2. Please note: For this techdoc, the assumption is that the LDAP server is housed within the "DataCentre" site. If the LDAP server is housed in a location that is not yet part of the DXmanager map, then it may be required to create a new site.

  3. Right click on the "DataCentre" site and select the "Add a new host to the site" option. This will present you with the "New Host" configurtaion screen.

<Please see attached file for image>

Figure 10

Configure the options as per the table below:

General Tab:

SettingValue
NamethirdPartyLDAPHost
(this is an example placeholder name)
Data Store Location data
(This is not actively used for a third party LDAP server, so this value can be anything)


<Please see attached file for image>

Figure 11

Connections Tab:

SettingValue
Network Addressaaa.bbb.ccc.ddd

(This is the IP address where your third party LDAP server is running)


Type in the IP address of the third party LDAP server into the Network Address field, and click the "Add" button. Once you have configured this screen, click the "OK" button to update the configuration. Once the configuration has been updated, you will see that the DSA Topology screen will be updated with the new configuration:



<Please see attached file for image>

Figure 12

Step 5: Instantiate the DXlink DSA upon the LDAP server host

The last step in the configuration process is to instantiate a DXlink DSA. This DXlink DSA is a CA Directory reference to the third party LDAP server instance running on the host created in step 4.

To instantiate the DXlink DSA follow the steps below:

  1. Right click the host "ThirdPartyLDAPHost" and select the "Instantiate a new partition on this host", then "LDAP", and then "MS Active Directory Server" options. If your LDAP server is not an Active Directory server, then choose the most suitable third party LDAP server definition available.


<Please see attached file for image>

Figure 13

  • The configuration screen titled "New DSA" will be displayed. This screen contains a pulldown list of the available namespaces for you to choose from. Click the pull down list and select "ActiveDirectory1".


<Please see attached file for image>

Figure 14

  • Click the "Next" button.
  • Please fill out the details as per the following table:

    General Tab:

    SettingValue
    Display Name AD1

    (This is a placeholder value which can be anything, but make it descriptive)
    Native Prefix O=CA, c=AU
    (This is level in the third party LDAP server's DIT structure
    which CA Directory is going to map to)


<Please see attached file for image>

Figure 15

Connections Tab:

SettingValue
LDAP Proxy Name cn=test,ou=Users,o=CA,c=AU
(This is the DN of an entry that exists in the third party LDAP server
that can be used to bind with)
LDAP Proxy Password password
(This is password of the DN that was supplied above.
This is used to authenticate the DN)


<Please see attached file for image>

Figure 16

  • Click the "Finish" button.
  • The LDAP proxy credentials are only used under the following circumstances:

    1. It is used when either a user's credentials are outside the LDAP server OR
    2. If the requests have multiple hops before getting to the LDAP server.

    Even though you've provided a set of credentials in the above screen, we will be using "pass-through" authentication in order to perform our bind in the following test. Click "Finish" to conclude the configuration process. Once the configuration is updated, there will be a confirmation message displayed that reads:

    <Please see attached file for image>

    Figure 17

    Also, the Topology map will be updated to reflect that the third party LDAP server DSA has been instantiated.

    <Please see attached file for image>

    Figure 18

    Step 6: Deploying the new DXmanager configuration

    Now that the new DXmanager configuration has been created, it's now time to deploy the configuration. The process of deploying the configuration updates all CA Directory hosts with the new configuration.

    Follow the steps below to deploy the new configuration:

    1. With your mouse, left click the arrow of the "Configuration" button which is in the top right corner of the screen and select the "Deploy" option.


<Please see attached file for image>

Figure 19

  • The deployment of a DXmanager configuration is performed in two parts. Firstly DXmanager saves the whole configuration. The "Save Configuration" dialogue requires you to type in a specific comment that is used to describe this version of the configuration being saved.


<Please see attached file for image>

Figure 20

Once you've typed in a suitable comment, click the "OK" button to save the configuration.

  • The deployment of the DXmanager configuration is then automatic. Once the configuration has been deployed you will see a confirmation message displayed at the top of the GUI that reads:


<Please see attached file for image>

Figure 21

Also, the Topology will be updated with the runtime monitoring icons which indicate that you have exited "edit" mode and entered "monitoring" mode.

<Please see attached file for image>

Figure 22

The icons for the third party LDAP server will indicate that it's unknown (question marks), as the status of the third party LDAP server cannot be determined by DXmanager as there is no process running on it capable of reporting it's status to DXmanager.

Step 7: Testing connectivity to the LDAP server

Now that the configuration has been deployed, connectivity to the LDAP server should be performed in order to confirm that the DXmanager configuration has been defined and deployed correctly.

To test connectivity, please follow the steps below:

  1. Launch the JXweb web browser or other LDAP browser and use the connection details below to bind to the directory.
SettingValue
Host Hostname / IP address
(this is host where the router DSA in the DXmanager configuration is located)
Port TCP Port
(This is the TCP port of the router DSA)
Base DN O=AD1,c=AU
(This is subtree/namespace of the DXlink DSA)
User DN

Reference a set of credentials that exist within the third party LDAP server

(Take care to adjust the AD credentials so that they can be used to connect)

e.g. Native LDAP DN:
cn=Chris Hanlen,ou=Staff,ou=R&D,o=CA,c=AU

Prefixed map CA Directory DN:
cn=Chris Hanlen,ou=Staff,ou=R&D,o=AD1,c=AU



The reason why you need to change the beginning of the bind DN, is that CA Directory is only able to reference the anchor point in the DIT that references the AD DIT structure. In this example the native prefix is "o=CA,c=AU" and the CA Directory namespace is "o=AD1,c=AU".

When binding to the CA Directory as a bind DN that exists in the LDAP server, use the following process:

In this example the set of bind credentials that exist within the Active Directory server is: cn=Chris Hanlen,ou=Staff,ou=R&D,o=CA,c=AU. In order to bind as this use to the CA Directory, you need to replace the "native-prefix (o=CA,c=AU) with the CA Directory prefix (o=AD1, c=AU). This means that the bind DN that should be used to bind to the CA Directory is: cn=Chris Hanlen,ou=Staff,ou=R&D,o=AD1,c=AU.

Below is an example connection dialogue using the above settings:

<Please see attached file for image>

Figure 23

When the connection dialogue has been completed, click the "Connect" button to establish connection with the CA Directory.
To confirm that the CA Directory DXlink DSA is accessing the third party LDAP server, open up a browser to the third party LDAP server directly, and one to CA Directory.

Please note: That the native prefix of the LDAP server (o=CA,c=AU) has been "prefix mapped" to the CA Directory namespace of "o=AD1, c=AU".

Native LDAP Server DIT Example

<Please see attached file for image>

Figure 24

CA Directory DIT Example

<Please see attached file for image>

Figure 25

Environment

Release:
Component: ETRDIR

Attachments

1558720744897000052590_sktwi1f5rjvs16vsj.gif get_app
1558720743229000052590_sktwi1f5rjvs16vsi.gif get_app
1558720741414000052590_sktwi1f5rjvs16vsh.gif get_app
1558720737856000052590_sktwi1f5rjvs16vsg.gif get_app
1558720735983000052590_sktwi1f5rjvs16vsf.gif get_app
1558720734314000052590_sktwi1f5rjvs16vse.gif get_app
1558720732447000052590_sktwi1f5rjvs16vsd.gif get_app
1558720730576000052590_sktwi1f5rjvs16vsc.gif get_app
1558720728692000052590_sktwi1f5rjvs16vsb.gif get_app
1558720726774000052590_sktwi1f5rjvs16vsa.gif get_app
1558720725072000052590_sktwi1f5rjvs16vs9.gif get_app
1558720723238000052590_sktwi1f5rjvs16vs8.gif get_app
1558720721392000052590_sktwi1f5rjvs16vs7.gif get_app
1558720719407000052590_sktwi1f5rjvs16vs6.gif get_app
1558720717690000052590_sktwi1f5rjvs16vs5.gif get_app
1558720715997000052590_sktwi1f5rjvs16vs4.gif get_app
1558720714252000052590_sktwi1f5rjvs16vs3.gif get_app
1558720712499000052590_sktwi1f5rjvs16vs2.gif get_app
1558720710699000052590_sktwi1f5rjvs16vs1.gif get_app
1558720708904000052590_sktwi1f5rjvs16vs0.gif get_app
1558720707027000052590_sktwi1f5rjvs16vrz.gif get_app
1558720705130000052590_sktwi1f5rjvs16vry.gif get_app
1558720703406000052590_sktwi1f5rjvs16vrx.gif get_app
1558720701482000052590_sktwi1f5rjvs16vrw.gif get_app
1558720699496000052590_sktwi1f5rjvs16vrv.gif get_app