Secure Global Desktop 4.31 Administration Guide > Security > Securing connections to Active Directory and LDAP directory servers

Securing connections to Active Directory and LDAP directory servers

You can use Secure Global Desktop security services to secure the connections to an LDAP directory server, including Microsoft Active Directory. LDAP connections are used with the following authentication mechanisms:

• Active Directory login authority.
• LDAP login authority.
• Web server/third party authentication, only if the LDAP user identity mapping search methods are used.

To secure these connections:

1. Enable Secure Global Desktop security services.
2. In Array Manager, configure secure connections to LDAP or Active Directory.
3. Import the root certificates for your directory servers.
4. For Microsoft Active Directory, create and install client certificates for each Secure Global Desktop server in the array.
5. For the Active Directory login authority, enable LDAP signing requirements for the domain.
6. Restart each Secure Global Desktop server in the array, using tarantella restart.

The configuration required for steps 2 to 5 is described below.

Configuring secure connections to LDAP and Active Directory in Array Manager

The configuration needed depends on the authentication mechanisms that have been enabled in Array Manager

Active Directory login authority

1. In Array Manager, select Secure Global Desktop Login properties
2. In the URL field, type the name of an Active Directory domain, for example ad://east.indigo-insurance.com.
   Only enter one URL. The URL must start with ad://.
3. Check the Use Certicates box.
4. Click Apply.

LDAP login authority and web server/third party authentication

1. In Array Manager, select Secure Global Desktop Login properties
2. In the URL field, type the URL of one or more LDAP directory servers, for example ldaps://melbourne.indigo-insurance.com.
   • The URLs must start with ldaps://.
   • Separate each URL with a semicolon.
   • If you enter more than one URL, the URLs are used in the order they are listed. If the first LDAP directory server listed is unavailable, Secure Global Desktop tries the next one in the list.
   • The standard port used for secure connections to an LDAP directory server is 636/tcp. If an LDAP directory server uses a different port, you must specify the port number as part of the URL, for example ldaps://melbourne.indigo-insurance.com:5678.
   • Normally, the LDAP login authority searches the entire LDAP directory. You can restrict the search to part of the LDAP directory by adding a search root to the end of the URL, for example ldaps://melbourne.indigo-insurance.com/dc=indigo-insurance,dc=com
3. Click Apply.

Importing root certificates

To be able to use secure connections, Secure Global Desktop must be able to validate the certificate presented by an LDAP directory server or Active Directory. To do this you must import the root certificate (the Certificate Authority's certificate) into the keystore (the cacerts file) for the Java™ 2 Runtime Environment (JRE) used by the Secure Global Desktop server.

Run the following command:

/opt/tarantella/bin/jre/bin/keytool -import \
  -keystore /opt/tarantella/bin/jre/lib/security/cacerts \ 
  -storepass changeit
  -file root_certificate_path \
  -alias alias

Notes:

• See the Java 2 SDK Tools and Utilities documentation for details on how to use the keytool application.
• Use the -alias option to uniquely identify the certificate.
• Import the root certificate for every Active Directory or LDAP directory server you are using with Secure Global Desktop.
• Import the root certificates into the cacerts file on every member of the array.

Creating client certificates for use with Microsoft Active Directory

Microsoft Active Directory will only accept secure connections from servers that have a valid client certificate that has been signed using the Certificate Services on a Windows 2000/2003 Server. You must create and install a client certificate for each member of the array.

You create and install server client certificates with the keytool application, see the Java 2 SDK Tools and Utilities documentation for details.

Server client certificates are stored in the Secure Global Desktop certificate store /opt/tarantella/var/info/certs/sslkeystore.

You must provide a password when adding or removing certificates from the certifcate store. The password for the sslkeystore is unique to each Secure Global Desktop server and can be found in the /opt/tarantella/var/info/key file. Use this password for both the -storepass and -keypass options.

To create and install client certificates:

1. Generate the key pair for the client certificate.
2. Generate a Certificate Signing Request for the client certificate.
3. Create the client certificate.
4. Install the client certificate.

Generating the key pair for the client certificate

Run the following command to generate the key pair for the client certificate:

/opt/tarantella/bin/jre/bin/keytool -genkey \
  -keyalg rsa \ 
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass password \
  -alias alias \
  -keypass  password

Generating the Certificate Signing Request for the client certificate

Run the following command to generate the Certificate Signing Request (CSR) for the client certificate:

/opt/tarantella/bin/jre/bin/keytool -certreq \
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass server_password \
  -alias alias \
  -keypass  server_password
  -file path_to_CSR

The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.

Creating the client certificate

1. Using Internet Explorer, go to http://Windows_server/certsrv.
2. Log in.
3. On the Microsoft Certificate Services page, click Request a certificate.
4. On the Request a Certificate page, click advanced certificate request.
5. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
6. On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR into the Saved Request text box or browse to the CSR file.
7. Select an appropriate template from the Certificate Templates list.
8. Click Submit.
9. On the Certificate Issued page, ensure Base 64 encoded is selected and click Download certificate chain.
10. Save the certificate file.

Installing the client certificate

Run the following command to install the client certificate for a Secure Global Desktop server:

/opt/tarantella/bin/jre/bin/keytool -import \
  -file certificate_path \
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass server_password \
  -alias alias \
  -keypass  server_password

Enabling LDAP signing for the domain

For the Active Directory login authority, you must enable LDAP signing on your domain controllers. For example:

1. Log in to the domain controller as a user with administrative privileges.
2. In Group Policy Object Editor, select Domain Security Policy\Local Policies\Security options.
3. Edit the Domain controller: LDAP server signing requirements policy, select Require signing.
4. Edit the Network security: LDAP client signing requirements policy, select Require signing.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.