LDAP SSL Configuration

The following procedures describe how to configure SSL in an LDAP environment:

BMC does not enforce the strength of the certificate cryptography algorithm used for this connection. BMC recommends that you use a strong certificate cryptography algorithm.

Configuring SSL with LDAP or Active Directory Servers

This procedure describes how to configure SSL between Control-M/EM and LDAP or Active Directory servers.

Begin

  1. Obtain a *.pem format certificate file from the directory server.

    The export process of certificate files is different for each LDAP server vendor. Refer to your LDAP server administrator to obtain the correct certificate file. For an example on how to obtain a certificate from the Windows Active Directory, see Obtaining a Certificate File from the Windows Active Directory Server.

  2. Rename the file to em_ldap_ssl.pem. and copy it into the <Control-M/EM_home>/etc/keystore directory.

  3. Do one of the following:

    • UNIX/Linux:

      1. Verify that a randomness device is installed on the Control-M/EM computer by locating either the random or urandom file in the /dev directory.

        If you find the random file, verify that its path is part of the search path.

      2. If neither of these files exist, do the following:

        • Open the <Control-M/EM_home>/etc/ldap.conf file in a text editor.

        • Locate the #TLS_RANDFILE <Control-M/EM_home>/ini/ssl/rnd.bin line and remove the # character.

        • Save the modified file.

      1. Set an environment variable named LDAPCONF with a value pointing to the ldap.conf file, which gets set by the EM UNIX account profile.

        setenv LDAPCONF <Control-M/EM_home>/etc/ldap.conf

      1. Configure ciphers, as described in Configuring Ciphers for LDAP Connections.

        The location and name of the certificate (*.pem) file can be changed by configuring the TLS_CACERT parameter value in the <Control-M/EM_directory>/etc/ldap.conf pathname for the new pathname.

    • Windows: Do the following:

      1. Use the Microsoft MMC utility to install the certificate on your computer.

      2. Limit the SSL connections to the LDAP server by using specific ciphers, as described in Microsoft documentation.

  4. Restart all Control-M/EM components by applying stop_all and start_all commands.
  5. Define an LDAP server that can communicate with Control-M/EM in SSL mode, as described in Defining System Settings.

    If you do not apply all of the above steps, LDAP authentication in SSL mode fails.

    See the following example: Obtaining a Certificate File from the Windows Active Directory Server.

  6. To test the SSL connection Control-M/EM to the LDAP server, run the following command:

    openssl s_client -connect <LDAP Server hostname>:<port> -CAfile <Control-M/EM Home>/etc/keystore/em_ldap_ssl.pem

    The default port for SSL connections to the LDAP server is 636.

    If you are working in a High Availability environment, save the file to the same location in both installations.

Configuring Ciphers for LDAP Connections

This procedure describes how to configure ciphers for Control-M/EM on UNIX/Linux that connect to an LDAP server.

Begin

  1. View the supported ciphers by running the following command:

    openssl ciphers -V TLSv1.2

    You can also filter the ciphers according to a specific protocol by sending the protocol name as a parameter to this openssl command.

  2. Limit the ciphers used by this SSL connection, by adding a parameter named TLS_CIPHER_SUITE to the <Control-M/EM Home>/etc/ldap.conf file.

    The value of this parameter can specify the group of allowed ciphers.

    You can place single or group of ciphers as values for this option.

  3. Use the following syntax between the ciphers and cipher groups:

    • :: Includes

    • :! : Excludes

    • +: Moves to last in the cipher list.

      TLSv1.2+RSA:!EXPORT:!NULL

      This value includes all TLSv1.2 ciphers, with the RSA ciphers at the bottom of the list, and excludes all export ciphers and null ciphers.

Obtaining a Certificate File from the Windows Active Directory Server

This procedure describes how to obtain a certificate file from the Windows Active Directory server. The *.pem format certificate filename must be renamed em_ldap_ssl.pem.

Begin

  1. Select Programs > Administrative Tools > Certification Authority to open the Certification Authority application.

  2. Right-click Certification Authority, and select Properties.

  3. Click View Certificate to view the certificate’s page.

  4. In the Details tab, click Copy to file to start the Certificate Export Wizard.

  5. In the Export File Format page, select the Base-64 Encoded X.509 (*.cer) format and click Next.

  6. Enter a filename with a *.cer extension that includes the Active Directory server name.

  7. Complete the steps in the wizard to create an exported copy of the Certification Authority for the Active Directory server.

  8. Convert the certificate from *.cer format to *.pem format as follows:

    1. Using FTP or another file copying application, copy the Active Directory server certificate file you just created to a system on which the Active Directory client runs.

    2. Log in to the system where you copied the certificate and run the following command:

      openssl x509 -in AD certificate name -out em_ldap_ssl.pem

      where AD certificate name represents the filename given above.