Versions Compared

Version Old Version 5 New Version Current
Changes made by

Milton Suen

Milton Suen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

The TLS certificate used for LDAPS

...

must be created using Active Directory Certificate Services.

Export Root CA from Active Directory Server

  1. Log on as domain administrator on into the Active Directory domain server .

    Click Start 🢂 Windows Administrative Tools 🢂 Certificate Authority to open

    as a Domain Administrator:

    1. Open the CA Microsoft Management Console (MMC) GUI .from StartWindows Administrative ToolsCertificate Authority

    2. Highlight Right-click on the CA computer, and right-click to select CA Properties.Server and select Properties:

    3. From Select View Certificate from the General menu, click View Certificate.

      Image Removed

      :

      Image Added

    4. Select the Details view, and click Copy to File on the lower-right corner of the window.

      Image Removed

      Details followed by Copy to File…:

      Image Added

    5. Use the Certificate Export Wizard to save the CA certificate file:

    6. Click Select Next, select followed by Base-64 encoded X.509 (.CER):

    7. Click Select Browse to select the path to save where the root-CA is saved:

    8. Click FinishSelect Next.

Install the Root CA on

...

Swarm Content Gateway

  1. Copy the root-CA (acme-ca-bundle.crt) to all Cloud Gatewaythe following location on all Swarm Content Gateway servers:

    Code Block
    /etc/pki/ca-trust/source/anchors/acme-ca-bundle.crt

  2. Run below the following command on Cloud each Swarm Content Gateway server:

    Code Block
    update-ca-trust

  3. Restart the Swarm Content Gateway Services on each Swarm Content Gateway:

    Code Block
    systemctl restart cloudgateway

Test LDAPS connection from

...

Swarm Content Gateway

  1. Download the acert certificate verification utility to each Swarm Content Gateway server and verify the file against the SHA-256 checksums listed on the Duo Certification Verification Utility to Cloud Gateway website:

    Code Block
    cd /root/datacore

    
curl -fLO https://dl.duosecurity.com/acert-linux

    
chmod +x acert-linux
    Run below 
  2. Verify all Swarm Content Gateway servers can reach the Active Directory server using tools such as ping, traceroute, or equivalent).
  3. Run the following command to verify the LDAPS certificate:
     Code Block
    ./acert-linux -host ad.acme.local -port 636
Or test using curl command line result with Connected
 Code Block
curl "ldaps://acme.local:636
...
Make sure Cloud Gateway can reach Active Directory
...
/dc=acme,dc=local" -u "CN=ldapuser,CN=Users,DC=acme,DC=local" -vvv
Output:
 Code Block
Enter host password for user 'CN=ldapuser,CN=Users,DC=acme,DC=local':
* About to connect() to acme.local port 636 (#0)
*   Trying 172.16.30.88...
* Connected to acme.local (172.16.30.88) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: (nil)
*       start date: Jul 16 12:37:51 2023 GMT
*       expire date: Jul 16 12:47:51 2025 GMT
*       common name: (nil)
*       issuer: CN=acme-CA,DC=acme,DC=local
* LDAP local: ldaps://acme.local:636/dc=acme,dc=local
Configure LDAPS on Swarm Content Gateway
  1. Create a User account that can login log in to Active Directory with read only access to LDAP/LDAPS.
  2. Refer to LDAP Configuration https://perifery.atlassian.net/wiki/spaces/public/pages/2443816826/IDSYS+Document+Format#LDAP-and-AD-Fields to configure gateway authenticate authentication with Active Directory LDAP.
  3. Change the protocol
    1. Protocol: ldap ldaps
    2. Port ldapPort: 389 636
  4. Now should able login Cloud Gateway authenticate with Active Directory using LDAPS
  5. In case test login from Cloud Gateway UI failed.Use the LDAPS/AD credentials to log in to the Content Gateway portal (UIC).
     Code Block
    {
  "ldap": {
    "name": "ad-ldap",
    "description": "This is acem.local Active Directory LDAP configuration",
    "protocol": "ldaps",
    "ldaphost": "acme.local",
    "ldapport": "636",
    "adminDN": "CN=ldapuser,CN=Users,DC=acme,DC=local",
    "adminPassword": "P@ssw0rd",
    "userBase": "CN=Users,DC=acme,DC=local",
    "groupBase": "CN=Domain Admins,CN=Users,DC=acme,DC=local",
    "uidAttribute": "sAMAccountName",
    "userFilter": "objectclass=*",
    "groupMemberDNAttr": "",
    "groupMemberUidAttr": "member",
    "cookieName": "token",
    "tokenPath": "/.TOKEN/",
    "s3SecretKeyAttr": "dcadmin@"
  }
}
  6. In case the test login to the Swarm Content Gateway UI fails:
  7. Verify errors by Request ID at in /var/log/caringo/cloudgateway_server.log and follow the troubleshooting steps in LDAP Configuration .
     Code Block
    grep 'request_id' /var/log/caringo/cloudgateway_server.log
    Sample certificate error: 
    2023-04-07 09:39:18,309 ERROR [qtp1357686726-9493|BC005B3EB68626F8] LDAPIdsys: Unable to connect to identity system ldaps://ad01.acme.internal:636 as ldapUser@acme.internal: javax.naming.CommunicationException: simple bind failed: ad01.acme.internal:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
The configuration for LDAPS/AD integration should be complete if no errors occur.