(Click to open topic with navigation)

Additional configuration > Securing LDAP/Active Directory connection

Securing LDAP/Active Directory connection

When you install Moab HPC Suite, you will need to configure an LDAP or Active Directory connection for user authentication.

If you do not yet use LDAP or Active Directory, Setting up OpenLDAP on CentOS 6 contains detailed instructions to help you get started.

Before you set up the LDAP/Active Directory SSL connection, you must first get Viewpoint to trust the LDAP server's X.509 certificate. These instructions explain how to do this.

To configure Viewpoint to trust the LDAP/Active Directory server certificate

If the LDAP server's X.509 certificate was signed by a commercial certificate authority (CA), such as Verisign, then Viewpoint should trust the certificate automatically. However, if the certificate was not signed by a commercial CA, then you will need to configure Viewpoint to trust this certificate. To do so, you will add the certificate to the keystore of your Java Runtime Environment (JRE). A keystore is a repository of trusted certificates. The keystore you will want to add to the certificate is stored in a file named cacerts.

  1. To find cacerts you can run the following:
    2. $ locate cacerts | grep jre
/usr/java/jre1.6.0_32/lib/security/cacerts
  2. Verify that cacerts is a valid keystore by running the following:
    3. $ file /usr/java/jre1.6.0_32/lib/security/cacerts
/usr/java/jre1.6.0_32/lib/security/cacerts: Java KeyStore

    If your LDAP server certificate was named, for example, "myLdapServer.pem," the return should look something like this:

    $ head -c 200 ~/myLdapServer.pem
-----BEGIN CERTIFICATE-----
MIICmDCCAgGgAwIBAgIJAKT87UQ6OzxZMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJVVDEOMAwGA1UEBwwFUHJvdm8xEjAQBgNVBAoMCUFj
  3. The keytool utility that is bundled with the JRE can be used to add the certificate to the cacerts keystore. If keytool is not already in your path, you can find it by using the locate command and adding the folder that contains keytool to your PATH environment variable. For example:
    4. $ locate keytool | grep jre | grep bin
/usr/java/jre1.6.0_32/bin/keytool

$ export PATH=$PATH:/usr/java/jre1.6.0_32/bin
$ which keytool
/usr/java/jre1.6.0_32/bin/keytool

    If you have multiple JREs on your system, you will need to configure the keystore for the JRE that Tomcat uses.

  4. Import the LDAP server .pem file (in this example, "myLdapServer.pem") into the cacerts keystore, run the following:
    5. $ keytool -import -trustcacerts -file ~/myLdapServer.pem -alias myLdapServer -keystore /usr/java/jre1.6.0_32/lib/security/cacerts
Enter keystore password: changeit
...
Trust this certificate? [no]:  yes
Certificate was added to keystore
  5. The default keystore password is "changeit". To verify that your certificate was added, use keytool to list all certificates. Make sure your newly-added certificate is returned. For example:
    6. $ keytool -list -v  -keystore /usr/java/jre1.6.0_32/lib/security/cacerts | grep myLdapServer
Enter keystore password:  changeit
Alias name: myLdapServer

Related topics