How to configure LDAP over SSL (LDAPS) on the Symantec VIP Enterprise Gateway
Article ID: 178854
Updated On:
Products
Issue/Introduction
Symantec VIP Enterprise Gateway (VIP EG) - How to configure LDAP over SSL (LDAPS)
Cause
The VIP EG uses the host server's native LDAP\LDAPS connections for actual 1st-factor authentication or LDAP synchronization transactions using the BIND user credentials in the VIP EG User Store settings.
Resolution
This article walks you through how to configure a secure connection (LDAPS) between your VIP EG and your Windows Active Directory LDAP server.
1. Confirm that your Active Directory is configured with LDAPS (LDAP over SSL) and that you have obtained the Certificate Chain to be imported into VIP EG
The LDAP SSL certificate must include:
• The LDAP SSL certificate must be valid for the purpose of Server Authentication and contain the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1
• The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the LDAP host machine or CA server.
• The LDAP host machine account must have access to the private key.
(source: Microsoft MSDN and Microsoft link)
• Do not import this LDAP SSL certificate into the VIP Enterprise Gateway SSL Certificate store.
2. Import the root and intermediate CA of the issuing LDAP SSL certificate into the host operating system certificate store.
3. From the VIP EG server(s), import the root and intermediate CA of the issuing LDAP SSL certificate into the VIP EG Keystore:
• Login to your VIP EG server(s) and click on the Settings tab.
• Click on the Trusted CA Certificate link in the left frame.
• Click on the Add Certificate button.
• Browse to the Root CA certificate from step 2, provide an Alias name, then click Submit.
• If applicable, browse to the Intermediate Root CA certificate, provide an Alias name, then click Submit.
• Click on Save Changes to complete the import.
• Restart the VIP EG service.
• Login to your VIP EG server and confirm the certificates are visible in the Trusted CA Certificates.
4. From the VIP EG server(s), configure LDAPS (secure LDAP):
• Login to the VIP EG console, then click the User Store tab.
• Click Edit next to the User Store name, then click Edit next to the User Store connection.
• Select Enable SSL, then designate the secure port to your LDAP server:
• Save the changes
• Repeat for each User Store connection within each User Store on each VIP EG within your environment.
5. Test the LDAPS connection:
• While in VIP EG console, click on User Store tab.
• Click Edit next to the User Store name, then click Edit next to the User Store connection.
• Enter a userID in Test User Name and click Test.
• A "Test connection is successful" will be prompted if the connection is successful.
• Save the changes.
Feedback
