Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

NOTE: The TLS certificate used for LDAPS must be created using Active Directory Certificate Services!

Export Root CA from Active Directory Server

  1. Log into the Active Directory domain server as domain administrator:

    1. Click StartWindows Administrative ToolsCertificate Authority to open the CA Microsoft Management Console (MMC) GUI.

    2. Highlight the CA server and right-click to select CA Properties:

    3. From General menu, click View Certificate:

    4. Select the Details view and click Copy to File on the lower-right corner of the window:

    5. Use the Certificate Export Wizard to save the CA certificate file:

    6. Click Next, then select Base-64 encoded X.509 (.CER):

    7. Click Browse to select path to save the root-CA:

    8. Click Finish.

Install Root CA on Swarm Gateway

  1. Copy the root-CA (acme-ca-bundle.crt) to all Swarm Gateway servers:
    /etc/pki/ca-trust/source/anchors/acme-ca-bundle.crt

  2. Run the following command on each Gateway server:
    update-ca-trust

  3. Restart Gateway Services on each Gateway:
    systemctl restart cloudgateway

Test LDAPS connection from Swarm Gateway

  1. Download the Duo Certification Verification Utility to each Swarm Gateway:
    cd /root/datacore
    curl -fLO https://dl.duosecurity.com/acert-linux
    chmod +x acert-linux

  2. Make sure each Gateway server can reach the Active Directory server (e.g. ping / traceroute or equivalent).

  3. Run the following command to verify the LDAPS certificate:
    ./acert-linux -host ad.acme.local -port 636

Configure LDAPS on Swarm Gateway

  1. Create a User account that can log in to Active Directory with read only access to LDAP/LDAPS.

  2. Refer to LDAP Configuration to configure gateway authenticate with Active Directory LDAP.

  3. Change protocol

    1. ldap ➔ ldaps

    2. Port 389 ➔ 636

  4. Now, test if you are able log in to the UIC (content) Gateway portal using LDAPS/AD credentials.

  5. In case the test login to Swarm Gateway UI failed:

  6. Verify errors by Request ID in /var/log/caringo/cloudgateway_server.log and follow the troubleshooting steps in LDAP Configuration .
    grep 'request_id' /var/log/caringo/cloudgateway_server.log
    Sample certificate error:
    2023-04-07 09:39:18,309 ERROR [qtp1357686726-9493|BC005B3EB68626F8] LDAPIdsys: Unable to connect to identity system ldaps://ad01.acme.internal:636 as ldapUser@acme.internal: javax.naming.CommunicationException: simple bind failed: ad01.acme.internal:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Otherwise, your configuration for LDAPS/AD integration should be complete!

  • No labels