1 – Setup > 1.2 Viewpoint installation and setup > Securing a Viewpoint-LDAP/Active Directory connection

Securing a Viewpoint-LDAP/Active Directory connection

When you install Viewpoint, you will need to configure an LDAP or Active Directory connection for user authentication. This is a two-part process. First, you need to configure Viewpoint to trust the LDAP/Active Directory server certificate. Next, you must authenticate the Viewpoint-LDAP/Active Directory connection in the Viewpoint Configuration interface (for details, see Setting the LDAP configuration).

If you do not yet use LDAP or Active Directory, Setting up OpenLDAP on CentOS 6 contains detailed instructions to help you get started.

Before you set up the LDAP/Active Directory SSL connection, you must first get Viewpoint to trust the LDAP server's X.509 certificate. These instructions explain how to do this.

To configure Viewpoint to trust the LDAP/Active Directory server certificate

If the LDAP server's X.509 certificate was signed by a commercial certificate authority (CA), such as VeriSign, then Viewpoint should trust the certificate automatically. However, if the certificate was not signed by a commercial CA, then you will need to configure Viewpoint to trust this certificate. To do so, you will add the certificate to the keystore of your Java Runtime Environment (JRE). A keystore is a repository of trusted certificates. The keystore you will want to add the certificate to is stored in a file named cacerts.

  1. To find cacerts you can run the following:
  2. $ locate cacerts | grep jre
    /usr/java/jre1.6.0_32/lib/security/cacerts
  3. Verify that cacerts is a valid keystore by running the following:
  4. $ file /usr/java/jre1.6.0_32/lib/security/cacerts
    /usr/java/jre1.6.0_32/lib/security/cacerts: Java KeyStore

    If your LDAP server certificate was named, for example, "myLdapServer.pem," the return should look something like this:

    $ head -c 200 ~/myLdapServer.pem
    -----BEGIN CERTIFICATE-----
    MIICmDCCAgGgAwIBAgIJAKT87UQ6OzxZMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV
    BAYTAlVTMQswCQYDVQQIDAJVVDEOMAwGA1UEBwwFUHJvdm8xEjAQBgNVBAoMCUFj
  5. The keytool utility that is bundled with the JRE can be used to add the certificate to the cacerts keystore. If keytool is not already in your path, you can find it by using the locate command and adding the folder that contains keytool to your PATH environment variable. For example:
  6. $ locate keytool | grep jre | grep bin
    /usr/java/jre1.6.0_32/bin/keytool
    
    $ export PATH=$PATH:/usr/java/jre1.6.0_32/bin
    $ which keytool
    /usr/java/jre1.6.0_32/bin/keytool

    If you have multiple JREs on your system, you will need to configure the keystore for the JRE that Tomcat uses.

  7. Import the LDAP server .pem file (in this example, "myLdapServer.pem") into the cacerts keystore, run the following:
  8. $ keytool -import -trustcacerts -file ~/myLdapServer.pem -alias myLdapServer -keystore /usr/java/jre1.6.0_32/lib/security/cacerts
    Enter keystore password: changeit
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  9. The default keystore password is "changeit". To verify that your certificate was added, use keytool to list all certificates. Make sure your newly-added certificate is returned. For example:
  10. $ keytool -list -v  -keystore /usr/java/jre1.6.0_32/lib/security/cacerts | grep myLdapServer
    Enter keystore password:  changeit
    Alias name: myLdapServer

Now you are ready to configure the LDAP connection in Viewpoint. For more information, see Setting the LDAP configuration.

Related topics 

© 2013 Adaptive Computing