Secure Global Desktop Administration Guide > Security > Securing connections to LDAP directory servers
The LDAP login authority and the LDAP identity mapping search methods for web server/third party authentication require connections to an LDAP directory server. You can use the Sun Secure Global Desktop Security Pack to secure these connections with SSL/TLS. To do this, you must:
tarantella restart
.Note You do not need this configuration for the Active Directory login authority because this login authority uses the kerberos protocol.
The configuration required for steps 2 to 4 is described below. The configuration uses the Java™ keytool application, see the Java 2 SDK Tools and Utilities documentation (http://java.sun.com/j2se/docs) for more details.
In Array Manager, Secure Global Desktop Login properties, make sure that each LDAP directory server that requires a secure connection has a URL that begins ldaps://
The standard port used for secure connections to an LDAP directory server is 636/tcp. If your LDAP directory server uses a different port, you must specify the port number as part of the URL, for example ldaps://melbourne.indigo-insurance.com:5678
.
To use be able to use secure connections, Secure Global Desktop must be able to validate the certificate presented by an LDAP directory server. To do this you must import the root certificate (the Certificate Authority's certificate) into the keystore (the cacerts
file) for the Java Runtime Environment (JRE) used by the Secure Global Desktop server. Run the following command:
/opt/tarantella/bin/jre/bin/keytool -import \ -keystore /opt/tarantella/bin/jre/lib/security/cacerts \ -file root_certificate_path \ -alias alias
We recommend you use the -alias
option to uniquely identify the certificate. The standard password for the cacerts
file is changeit
.
You must import the root certificate for every LDAP directory server you are using with Secure Global Desktop. You must import the certificates into the cacerts
file on every member of the array.
Microsoft Active Directory will only accept secure connections from servers that have a valid client certificate that has been signed using the Certificate Services on a Windows 2000/2003 Server. You must do this in addition to importing the root certificate, as described above. You must create and install a client certificate for each member of the array. To do this, you have to:
Run the following command to generate the key pair for the client certificate:
/opt/tarantella/bin/jre/bin/keytool -genkey \ -keyalg rsa \ -keystore /opt/tarantella/var/info/certs/sslkeystore \ -storepass 123456 \ -alias alias \ -keypass 123456
Run the following command to generate the Certificate Signing Request (CSR) for the client certificate:
/opt/tarantella/bin/jre/bin/keytool -certreq \ -keystore /opt/tarantella/var/info/certs/sslkeystore \ -storepass 123456 \ -alias alias \ -keypass 123456 -file path_to_CSR
The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.
http://Windows_server/certsrv
.Run the following command to install the client certificate for a Secure Global Desktop server:
/opt/tarantella/bin/jre/bin/keytool -import \ -file certificate_path -keystore /opt/tarantella/var/info/certs/sslkeystore \ -storepass 123456 \ -alias alias \ -keypass 123456
Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.