Skip past navigation linksSecure Global Desktop 4.40 Administration Guide > Security > Securing Connections to Active Directory and LDAP Directory Servers

Securing Connections to Active Directory and LDAP Directory Servers

You can use SGD security services to secure the connections to an LDAP directory server, including Microsoft Active Directory. These connections are used with the following authentication mechanisms:

To secure these connections:

  1. In the SGD Administration Console, configure secure connections to LDAP or Active Directory.

    For instructions, see either Active Directory Authentication or LDAP Authentication. For Third-party authentication, see Web Server Authentication.

  2. Import the root certificates for your directory servers.

    To be able to use secure connections, SGD must be able to validate the certificate presented by an LDAP directory server or Active Directory. You must import the root certificate for every Active Directory or LDAP directory server you are using with SGD into the cacerts file on every SGD server in the array. See Importing Root Certificates for details.

  3. For Active Directory authentication only, create and install client certificates for each SGD server in the array, and enable LDAP signing requirements for the domain.

    See Creating Client Certificates for Use With Active Directory Authentication for details.

  4. On each SGD server in the array, enable SGD security services and restart the server.

    Log in as superuser (root) on the SGD host.

    Skip past command syntax or program code# tarantella security start
      tarantella restart

Importing Root Certificates

To be able to use secure connections, SGD must be able to validate the certificate presented by an LDAP directory server or Active Directory. To do this you must import the root certificate (the Certificate Authority's certificate) into the keystore (the cacerts file) for the Java™ 2 Runtime Environment (JRE) used by the SGD server.

Use the following command:

Skip past command syntax or program code/opt/tarantella/bin/jre/bin/keytool -import \
  -keystore /opt/tarantella/bin/jre/lib/security/cacerts \ 
  -storepass changeit \
  -file root_certificate_path \
  -alias alias

Note the following:

Creating Client Certificates for Use With Active Directory Authentication

Microsoft Active Directory only accepts secure connections from servers that have a valid client certificate that has been signed using the Certificate Services on a Windows 2000/2003 Server. You must create and install a client certificate for each SGD server in the array.

You create and install server client certificates with the keytool application, see the Java 2 SDK Tools and Utilities documentation for details.

Server client certificates are stored in the SGD certificate store /opt/tarantella/var/info/certs/sslkeystore.

You must provide a password when adding or removing certificates from the certificate store. The password for the sslkeystore is unique to each SGD server and can be found in the /opt/tarantella/var/info/key file. Use this password for both the -storepass and -keypass options.

To create and install a client certificate for an SGD server:

  1. Log in as superuser (root) on the SGD host.
  2. Generate the key pair for the client certificate. 
    Skip past command syntax or program code# /opt/tarantella/bin/jre/bin/keytool -genkey \
  -keyalg rsa \ 
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass "$(cat /opt/tarantella/var/info/key)" \
  -alias alias \
  -keypass  "$(cat /opt/tarantella/var/info/key)"
  3. Generate a Certificate Signing Request (CSR) for the client certificate. 
    Skip past command syntax or program code# /opt/tarantella/bin/jre/bin/keytool -certreq \
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass "$(cat /opt/tarantella/var/info/key)" \
  -alias alias \
  -keypass  "$(cat /opt/tarantella/var/info/key)" \
  -file path_to_CSR

    The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.

  4. Create the client certificate.
    1. Using Internet Explorer, go to http://Windows_server/certsrv.
    2. Log in.
    3. On the Microsoft Certificate Services page, click Request a certificate.
    4. On the Request a Certificate page, click advanced certificate request.
    5. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
    6. On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR into the Saved Request text box or browse to the CSR file.
    7. Select an appropriate template from the Certificate Templates list.
    8. Click Submit.
    9. On the Certificate Issued page, ensure Base 64 encoded is selected and click Download certificate.
    10. Save the certificate file.
    11. Copy the certificate file to the SGD host.
  5. Install the client certificate. 
    Skip past command syntax or program code# /opt/tarantella/bin/jre/bin/keytool -import \
  -file certificate_path \
  -keystore /opt/tarantella/var/info/certs/sslkeystore \ 
  -storepass "$(cat /opt/tarantella/var/info/key)" \
  -alias alias \
  -keypass  "$(cat /opt/tarantella/var/info/key)"

Enabling LDAP signing for the domain

For Active Directory authentication, once you have installed client certificates for all the SGD servers in the array, you must enable LDAP signing on your domain controllers. For example, you do this as follows:

  1. Log in to the domain controller as a user with administrative privileges.
  2. In Group Policy Object Editor, select Domain Security Policy\Local Policies\Security options.
  3. Edit the Domain controller: LDAP server signing requirements policy, select Require signing.
  4. Edit the Network security: LDAP client signing requirements policy, select Require signing.
Related Topics

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.