Securing a Viewpoint-LDAP/Active Directory connection
When you install Viewpoint, you will need to configure an LDAP or Active Directory connection for user authentication. This is a two-part process. First, you need to configure Viewpoint to trust the LDAP/Active Directory server certificate. Next, you must authenticate the Viewpoint-LDAP/Active Directory connection in the Viewpoint Configuration interface (for details, see Setting the LDAP configuration).
If you do not yet use LDAP or Active Directory, Setting up OpenLDAP on CentOS 6 contains detailed instructions to help you get started.
Before you set up the LDAP/Active Directory SSL connection, you must first get Viewpoint to trust the LDAP server's X.509 certificate. These instructions explain how to do this.
To configure Viewpoint to trust the LDAP/Active Directory server certificate
If the LDAP server's X.509 certificate was signed by a commercial certificate authority (CA), such as VeriSign, then Viewpoint should trust the certificate automatically. However, if the certificate was not signed by a commercial CA, then you will need to configure Viewpoint to trust this certificate. To do so, you will add the certificate to the keystore of your Java Runtime Environment (JRE). A keystore is a repository of trusted certificates. The keystore you will want to add the certificate to is stored in a file named cacerts.
- To find cacerts you can run the following:
- Verify that cacerts is a valid keystore by running the following:
- The keytool utility that is bundled with the JRE can be used to add the certificate to the cacerts keystore. If keytool is not already in your path, you can find it by using the locate command and adding the folder that contains keytool to your PATH environment variable. For example:
- Import the LDAP server .pem file (in this example, "myLdapServer.pem") into the cacerts keystore, run the following:
- The default keystore password is "changeit". To verify that your certificate was added, use keytool to list all certificates. Make sure your newly-added certificate is returned. For example:
$ locate cacerts | grep jre /usr/java/jre1.6.0_32/lib/security/cacerts
$ file /usr/java/jre1.6.0_32/lib/security/cacerts /usr/java/jre1.6.0_32/lib/security/cacerts: Java KeyStore
If your LDAP server certificate was named, for example, "myLdapServer.pem," the return should look something like this:
$ head -c 200 ~/myLdapServer.pem -----BEGIN CERTIFICATE----- MIICmDCCAgGgAwIBAgIJAKT87UQ6OzxZMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV BAYTAlVTMQswCQYDVQQIDAJVVDEOMAwGA1UEBwwFUHJvdm8xEjAQBgNVBAoMCUFj
$ locate keytool | grep jre | grep bin /usr/java/jre1.6.0_32/bin/keytool $ export PATH=$PATH:/usr/java/jre1.6.0_32/bin $ which keytool /usr/java/jre1.6.0_32/bin/keytool
If you have multiple JREs on your system, you will need to configure the keystore for the JRE that Tomcat uses.
$ keytool -import -trustcacerts -file ~/myLdapServer.pem -alias myLdapServer -keystore /usr/java/jre1.6.0_32/lib/security/cacerts Enter keystore password: changeit ... Trust this certificate? [no]: yes Certificate was added to keystore
$ keytool -list -v -keystore /usr/java/jre1.6.0_32/lib/security/cacerts | grep myLdapServer Enter keystore password: changeit Alias name: myLdapServer
Now you are ready to configure the LDAP connection in Viewpoint. For more information, see Setting the LDAP configuration.
Related topics