andrea.meyer

Setting up VMTurbo to communicate to Secure LDAP (LDAPS)

Blog Post created by andrea.meyer on May 18, 2014

I’d like to connect to our Active Directory Server using the ‘Secure’ option in VMTurbo, how do I achieve this?

 

First the Domain itself has to be configured to use LDAPS.  Please refer to Microsoft documentation on how to configure LDAPS.

In this document we will be using a Windows 2008R2 Domain, with the Enterprise CA Role installed on the Domain controller.  This configuration enables LDAPS automatically.

 

Please Note: If you are using a subordinate CA tied to the Root CA, you will need to add both certificates separately to the secure.jks file inside VMTurbo OpsMan. *** If you are using a single SSL certificate please ignore any instructions in red below

 

  1. Save the SSL Certificate information from your LDAPS Server to a .CER file (one way to accomplish this is by viewing the certificate properties and Save As.. or Export to get a .CER file.)

                    *** Save the subordinate SSL certificate information from your LDAPS Server to another .CER file that has a different name

 

      2.  Now SCP (secure copy) this .CER file from the PC/MAC/Etc. which you've saved the .CER file to the VMTurbo appliance, /tmp DIR, using the                                     credentials: root/vmturbo

                    *** If using a subordinate cert, please repeat the following steps above for the second SSL.CER

 

      3.  Next open an ssh session to the VMTurbo appliance using root/vmturbo

 

      4.  cd /tmp

 

      5.  Run the following command: keytool -import -alias secure -file secure.cer -keystore secure.jks (Where secure.cer is your root SSL certificate)

    • (The above example assumes you’ve saved the .CER file with the name ‘secure.cer’, replace all instances of ‘secure’ with your file name)
    • Create a keystore PW if asked to do so
    • The ‘secure.jks’ file has been saved to /tmp

                    *** Run the following command for the subordinate .CER file: keytool -import -file secure2.cer -keystore secure.jks (Where secure2.cer is your                         Subordinate SSL) - create a keystore PW if asked to do so

 

       6.  Copy the .jks file to /etc/ssl/certs by running the following command from the ssh session:

    • cp secure.jks /etc/ssl/certs

 

       7.  Next we have to tell tomcat to use this keystore and .jks file by editing the tomcat config file:

    • vi /etc/tomcat/tomcat.conf (or vi /etc/tomcat6/tomcat6.conf for pre 4.0 release)
    • Now append the following to the end of the file CATALINA_OPTS variable: "-Djavax.net.ssl.trustStore=/etc/ssl/certs/secure.jks"
    • Such that the whole CATALINA_OPTS= line looks like:

 

                  CATALINA_OPTS="-Djavax.net.ssl.trustStore=/etc/ssl/certs/secure.jks"

 

.      8.   Next we have to restart tomcat so it picks up the new keystore:

 

       9.   From the ssh session run: service tomcat restart (for versions of VMTurbo GREATER than 4.x)

             Note: For versions of VMTurbo below v4.x use: * service tomcat6 restart

 

      10.  Now go to your web browser and login to VMTurbo

 

      11.  Go to the Admin Tab >> User Authentication

 

      12.  Add the Active Directory Server name and click the ‘Secure’ checkbox, Click the ‘Apply’ button

    • Note:  If you already had the Active Directory Server entered, simply check ‘Secure’ and click ‘Apply’.
    • You can also specify a domain controller under "Active Directory Server" but this is not required

 

      13.  Now add a AD user, or an AD Group (Case Sensitive), from this domain, selecting ‘Type’ as ‘Active Directory’

 

      14.  Log out of VMTurbo Web Interface

 

      15.  Log in with the new or existing domain user using domain\username

     

          Once logged in using your AD credentials, you are now connected to AD!

               *** Note: With AD Group creation you are still required to use domain\user tor UPN to login using Secure LDAP

 

Post Updated on 12/17 to include additional instructions for how to add multiple SSL CAs for PKI Infrastructures and organizations using a separate CA for issuing and authentication

Outcomes