You are here

Using Secure LDAP (LDAPS) in the Airlock Authentication Service

This article describes how to configure authentication with Secure LDAP (LDAPS). It explains which additional steps are needed to implement a secure authentication with backend systems.

The steps below are only necessary when using an older version of Airlock Authentication Service than 2.5.8 or backend SSL certificate verification is enabled explicitly. The default setting in Airlock Authentication Service 2.5.8 is "ldap.0.backendSSLVerifyHost=false". Because this is a new setting in Authentication Service 2.5.8, this can not be changed in older versions. In that case the steps below are necessary.

The following example is for a connection to a Windows Active Directory Server. It works with both Windows Server 2003, 2008 and 2012.

Before you begin, it's neccessary to get the CA Windows Domain Certificate as a file. If an IIS with active SSL is running, connect with Internet Explorer, import the CA certificate and then export the certificate from the Internet Explorer. If this is not the case, ask the Windows Domain Administrator to generate and export this CA certificate. You don't need the Private Key from the certificate. Only the public CA ceritifcate is needed.

Please be aware that these settings will get lost while updating Airlock. Therefore you have to redo the actions above after the official Airlock update process.

Import CA certificate

  1. Copy the CA certificate to the /tmp directory on the Airlock system.
  2. Login on the Airlock system as user "root".
  3. Change to the following directory:
    # cd /opt/airlock/java/jre/lib/security

    For Airlock 4.2 use following command instead:
    # cd /opt/slt/ses/AuthApp/java/jre/lib/security
  4. Enter this command to import the CA certificate:
    # /opt/airlock/java/jre/bin/keytool -import -file /tmp/<your-ca-file> -keystore cacerts -alias <windows-domain>-ca

    If you use Airlock 4.2 you don't need to write the path (# keytool -import ...) 
    # /opt/airlock/java/jre/bin/keytool -import -file /tmp/mydomain.cert -keystore cacerts -alias mydomain-ca
  5. The keytool asks for a password. The default password for the keystore is "changeit".
  6. To check if the import works fine, type this command:
    # /opt/airlock/java/jre/bin/keytool -list -v -keystore cacerts -alias <windows-domain>-caExample:# /opt/airlock/java/jre/bin/keytool -list -v -keystore cacerts -alias mydomain-ca
  7. Now restart the Authentication Service:
    # service airlock-addon-tomcat restart

    For Airlock 4.2 use following command instead:
    # /etc/init.d/slt.authApp restart

Modify Authentication Service configuration

  1. Using WinRAR on your PC, open the Authentication Service WAR file.
  2. Change the LDAP entry in the file WEB-INF\classes\ like this:
    ldap.0.url=ldaps://<LDAP server name or IP>:636/DC=<your 1. domain part>,DC=<your 2. domain part>
  3. Deploy the modified Authentication Service WAR file to your Airlock.

Make sure that the old version will be overwritten by the new one. The best solution is to remove the old Authentication Service from Tomcat and then install the new one.

If the new LDAP connection works fine, you should clean up your /tmp directory or any location on Airlock where you saved temporary files for this task, like for example CA certificates.

Knowledge Base Categories: