Strengthening the LDAP Communication

By default Active Directory authentication uses the LDAP protocol and simple authentication method. You can change this to LDAPS with or without GSSAPI (Kerberos v5) authentication.

To change the authentication protocol to LDAPS, GSSAPI, or both:

1. Open the $UEPMDIR/engine/conf/ldap.utils.properties file.
2. Configure the protocol or protocols to use.
   • To configure LDAPS - Change use.ssl=false to use.ssl=true
   • To configure GSSAPI - Change use.gssapi=false to use.gssapi=true

   Both LDAPS and GSSAPI can be set to true.

3. Save.

For GSSAPI, no additional configuration is necessary.

Additional steps for LDAPS:

• Configure the Domain Controller to use LDAPS.
• Import all Domain Controller certificates to the Endpoint Security Management Server keystores.

To import a certificate to the Endpoint Security Management Servers (Primary and Secondary in High Availability):

1. Find the index of the SSL certificate: On a domain controller which is configured to support LDAPS, run: certutil -store -v MY

   The output of this command is a list of certificates. The certificates are separated by a line like this:

   ================ Certificate 0 ================, where 0 is the index number of the certificate.

2. Find a certificate that has:
   • Subject: DC FQDN
   • One of certificate extensions is Server Authentication OID 1.3.6.1.5.5.7.3.1.
3. Get that certificate’s index number. This is number that is in the header before each certificate (in this example it is 0).

   ================ Certificate 0 ================ X509 Certificate: Version: 3 Serial Number: 610206fb000000000002 Signature Algorithm:     Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA     Algorithm Parameters:     05 00 Issuer:     CN=mulberry-DC-CA     DC=mulberry     DC=com NotBefore: 23/06/2014 13:12 NotAfter: 23/06/2015 13:12 Subject:     CN=DC.mulberry.com Public Key Algorithm: … Certificate Extensions: 9     1.3.6.1.4.1.311.20.2: Flags = 0, Length = 22     Certificate Template Name (Certificate Type)         DomainController     2.5.29.37: Flags = 0, Length = 16     Enhanced Key Usage         Client Authentication (1.3.6.1.5.5.7.3.2)         Server Authentication (1.3.6.1.5.5.7.3.1)

4. Download a certificate from the domain controller:

   certutil -store MY <certificate index> <file name>

   For example: certutil -store MY 0 C:\certificates\DCCert.cer

5. Import a certificate to Endpoint Security servers. Copy the file to the Endpoint Security servers (primary and secondary) and run:

   cd $UEPMDIR/engine/jre

   ./bin/keytool -import -keystore ./lib/security/cacert -file <cert file name> -alias <alias>

   For example: ./bin/keytool -import -keystore ./lib/security/cacert -file /certif/DCCert.cer -alias DCSSLCert

6. Restart the Endpoint Security servers: uepm_stop, uepm_start.