Configuring SSL with LDAP or Active Directory servers

This procedure describes how to configure SSL between Control-M/EM and LDAP or Active Directory servers.

To configure SSL:

1. Obtain a .pem format certificate file from the directory server.

   The export process of certificate files is different for each LDAP server vendor. Refer to your LDAP server administrator to obtain the correct certificate file. For an example on how to obtain a certificate from the Windows Active Directory, see Obtaining a certificate file from the Windows Active Directory server.

2. Rename the file to em_ldap_ssl.pem. and copy it into the <Control-M/EM_directory>\etc\keystore directory.
3. Do one of the following:
   • UNIX:
     1. Verify that a randomness device is installed on the Control-M/EM computer by locating either the random or urandom file in the /dev directory.

        If you find the random file, verify that its path is part of the search path.

     2. If neither of these files exist, do the following:

        1. Open the <Control-M/EM_directory>/etc/ldap.conf file in a text editor.

        2. Locate the #TLS_RANDFILE <Control-M/EM_directory>/ini/ssl/rnd.bin line and remove the # character.

        3. Save the modified file.

     3. Set an environment variable named LDAPCONF with a value pointing to the ldap.conf file, which gets set by the EM UNIX account profile.

        EXAMPLE: setenv LDAPCONF <Control-M/EM_directory>/etc/ldap.conf

     4. Configure ciphers, as described in Configuring ciphers for LDAP connections.

   NOTE: The location and name of the certificate (.pem) file can be changed by configuring the TLS_CACERT parameter value in the <Control-M/EM_directory>/etc/ldap.conf file for the new path and name.

   • Windows: Do the following:

     a. Use the Microsoft MMC utility to install the certificate on your computer.

     b. Limit the SSL connections to the LDAP server by using specific ciphers, as described in Microsoft documentation.

4. Restart all Control-M/EM components by applying stop_all and start_all commands.
5. Define an LDAP server that can communicate with Control-M/EM in SSL mode, as described in Defining LDAP system parameters.

   If you do not apply all of the above steps, LDAP authentication in SSL mode fails.

   See the following example: Obtaining a certificate file from the Windows Active Directory server.

6. To test the SSL connection Control-M/EM to the LDAP server, run the following:

   openssl s_client -connect <LDAP Server hostname>:<port> -CAfile <Control-M/EM Home Directory>/etc/keystore/em_ldap_ssl.pem

   The default port for SSL connections to the LDAP server is 636.

   NOTE: If you are working in a high availability environment, place the file in the same location in both installations.