This procedure describes how to configure SSL between Control-M/EM and LDAP or Active Directory servers.
To configure SSL:
The export process of certificate files is different for each LDAP server vendor. Refer to your LDAP server administrator to obtain the correct certificate file. For an example on how to obtain a certificate from the Windows Active Directory, see Obtaining a certificate file from the Windows Active Directory server.
If you find the random file, verify that its path is part of the search path.
1. Open the <Control-M/EM_directory>/etc/ldap.conf file in a text editor.
2. Locate the #TLS_RANDFILE <Control-M/EM_directory>/ini/ssl/rnd.bin line and remove the # character.
3. Save the modified file.
EXAMPLE: setenv LDAPCONF <Control-M/EM_directory>/etc/ldap.conf
NOTE: The location and name of the certificate (.pem) file can be changed by configuring the TLS_CACERT parameter value in the <Control-M/EM_directory>/etc/ldap.conf file for the new path and name.
a. Use the Microsoft MMC utility to install the certificate on your computer.
b. Limit the SSL connections to the LDAP server by using specific ciphers, as described in Microsoft documentation.
If you do not apply all of the above steps, LDAP authentication in SSL mode fails.
See the following example: Obtaining a certificate file from the Windows Active Directory server.
openssl s_client -connect <LDAP Server hostname>:<port> -CAfile <Control-M/EM Home Directory>/etc/keystore/em_ldap_ssl.pem
The default port for SSL connections to the LDAP server is 636.
NOTE: If you are working in a high availability environment, place the file in the same location in both installations.
Parent Topic |