This article describes how to configure RiskVision to connect to Active Directory for user authentication using Secure LDAP and certificates.
In order to leverage this functionality, the AD server (or servers if a DNS alias is to be used) must be configured to accept secure LDAP requests and must have a certificate (X.509 format preferably) available for RiskVision’s use.
- The first step will be to create a keystore for the AD certificate(s). The keystore contains private key content that the RiskVision server will use to authenticate itself to the remote AD server. Execute this command within a command shell: %AGILIANCE_HOME%\java\bin\keytool genkey keyalg RSA keystore path\to\keystore.jks. The user will be prompted to provide the name and organizational details for the keystore, as well as a password that will be needed later.
- After obtaining the AD server’s certificate, import it into the newly created keystore using this command and the password that was specified earlier: %AGILIANCE_HOME%\java\bin\keytool -import -alias ldapCert -file path\to\cert.cer
- -keystore path\to\keystore.jks
- NOTE: Microsoft's Certificate Manager has an option to export a certificate to pkcs12 format. If that is used, then these commands, which are dependent upon having the Win32 OpenSSL binaries installed, can convert the certificate to X.509 format: OpenSSL pkcs7 in the cert.p7b ‘print_certs’ out-out.pem OpenSSL x509 ‘in out.pem ‘out server.cer
- A truststore will need to be created for trusted certificates, such as those used by the remote AD server or from certificate authorities that are used to verify other identities
- %AGILIANCE_HOME%\java\bin\keytool genkey keyalg RSA keystore \path\to\truststore.jks
- As with the keystore, the user will be prompted to supply a password and organizational details for the truststore
- Import the trusted public key into the truststore with this command:
- %AGILIANCE_HOME%\java\bin\keytool ?import ?v ?trustcacerts ?alias CAcert ?file \path\to\ca_cert.cer keystore \path\to\truststore.jks
- Stop Apache Tomcat
- Open the Windows Registry by running regedit. Locate the following registry key: 32-bit installation:
- HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\Tomcat5\Parameters\Java 64-bit installation: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software
- Add the following entries to the Options value:
- -Djavax.net .ssl.keyStore=\path\to\keystore.jks -Djavax.net .ssl.keyStoreType=JKS -Djavax.net .ssl.algorithm=SHA1withRSA -Djavax.net .ssl.keyStorePassword=<keystore password> -Djavax.net .ssl.trustStore=\path\to\truststore.jks -Djavax.net .ssl.trustStoreType=JKS -Djavax.net .ssl.trustStorePassword=<truststore password>
- Close the registry and restart the Apache Tomcat service
- Log in as administrator, go to Administration > Connectors and click the Authentication Connector link
- In the Configuration view, provide the IP or hostname of the AD server. Select Secure LDAP from the protocol drop-down list. Also, provide the top-level domain for the directory (e.g., company.com - this will autoresolve to dc=company,dc=com). If the customer needs to search through AD for user accounts, then an account with reading access to the directory will need to be supplied
- After the configuration has been saved, the user can click Commands tab to test the authentication connector setup