Using Secure LDAP (LDAPS) for Configuration Center authentication

This article describes how to configure the Airlock Configuration Center authentication to use Secure LDAP (ldaps) instead of "clear-text" LDAP. We show you which additional steps on top of Customizing the Airlock Configuration Center Authentication are needed to implement a secure authentication with backend systems.

Before you begin, it's neccessary to get the CA Windows Domain Certificate as a file. If an IIS with active SSL is running, connect with Internet Explorer, import the CA certificate and then export the certificate from the Internet Explorer. If this is not the case, ask the Windows Domain Administrator to generate and export this CA certificate. You don't need the Private Key of the certificate. Only the public CA certificate is needed.

Please be aware that these settings will get lost while updating Airlock. Therefore you have to redo the actions above after the official Airlock update process.

Import CA certificate

On Airlock WAF 7.1 and newer use the following procedure:

1. Copy the CA certificate with SCP to the /etc/pki/ca-trust/source/anchors/ directory on the Airlock system.
2. Login on your Airlock system using SSH as user "root".
3. Run the following command to import all certificates within the above directory:
   # update-ca-trust extract

On Airlock WAF 7.0 or older use the following procedure:

1. Copy the CA certificate with SCP to the /tmp directory on the Airlock system.
2. Login on your Airlock system using SSH as user "root".
3. Change to the following directory:
   # PATH=/opt/airlock/java/jre/bin:$PATH
   # cd /opt/airlock/java/jre/lib/security
4. Enter this command to import the CA certificate:
   # keytool -import -file <your-ca-file> -keystore cacerts -alias <windows-domain>-ca
5. The keytool asks for a password. The default password for the keystore is "changeit".
6. To check if the import works fine, type this command:
   # keytool -list -keystore cacerts -alias <windows-domain>-ca

Modify Authentication Service configuration

1. Change to the following directory:
   # cd /opt/airlock/custom-settings/mgt-auth
2. Change the LDAP entry in the Configuration Center config file authenticator.properties:
   ldap.0.url=ldaps://<LDAP server name or IP>:636/DC=<your 1. domain part>,DC=<your 2. domain part>
3. Save your changes.

Backend SSL verification is turned off by default. If you wish to enable verification of the backend SSL certificate you must add: "ldap.0.backendSSLVerifyHost=true" to the configuration.

Restart Configuration Center Authentication Service to activate your changes

1. Now restart the Configuration Center Authentication Service. To do so, execute this command:
   # service airlock-mgt-tomcat restart
2. To check if the service is running, execute the following command:
   # service airlock-mgt-tomcat status
3. The restart needs some time. If the service has the status "offline" instead of "online", wait about 5 - 10 seconds before you repeat step 2.

If the new LDAP connection works fine, you should clean up your /tmp directory or any location on Airlock where you saved some temporary files for this task, like for example CA certificates.