This section describes how to set up LDAP server on Network Configuration Manager.
- Configure Network Configuration Manager to point to LDAP or Active Directory server
- Log into Network Configuration Manager as system administrator.
- Go to System Administration > Global > User Management > Authentication Servers > LDAP
- Enter your settings. Click Apply.
- In the left pane, go to User Management > System Users and add your LDAP/Active Directory users. Ensure that the User ID and Email fields match with what you have in the LDAP/AD server.
- Under Authentication Method, select External LDAP.
- Verify LDAP/Active Directory settings (optional)
- Logout of Network Configuration Manager.
- Login with an LDAP/Active Directory user credentials.
Note:
If you experience problems logging in, check the LDAP/Active Directory logs.
- Flip the secure switch on your LDAP/Active Directory server. Configure your LDAP/Active Directory server to use SSL. Make a note of the secure port number used by LDAP/Active Directory server.
- Retrieve the SSL certificate from LDAP/Active Directory server.
- Download InstallCert.java from internet to your desktop. If InstallCert.java is not available, skip to Step 16.
- Run the command,
C:\Users\Administrator\Desktop>"%JAVA_HOME%\bin\javac" InstallCert.java C:\Users\Administrator\Desktop>"%JAVA_HOME%\bin\java" InstallCert LDAP-SERVERIP:<secure port>
- You will be prompted to enter certificate to add to trusted keystore. Press Enter.
- From your desktop, copy the file jssecacerts to NCM Application Server or Combination Server at $JAVA_HOME/lib/security.
Note: Execute step 16 and 17, if steps 12 – 15 are not executed.
- On NCM Application Server or Combination Server, generate PEM file from LDAP server with below command:
openssl s_client -showcerts -connect LDAP-SERVERIP/DNS:secure-port </dev/null 2>/dev/null|openssl x509 -outform PEM > LDAP_DNS.pem
For example:openssl s_client -showcerts -connect AD01:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > AD01.pem
Here AD01 is the LDAP server and 636 is the secure port. - Go to $JAVA_HOME/bin and import the pem file to jssecacerts with below command::
$JAVA_HOME/bin#./keytool -import -trustcacerts -alias LDAP_DNS -file <Path>/LDAP_DNS.pem -keystore $JAVA_HOME/lib/security/jssecacerts
When prompted for password, enter "changeit".
For example:$JAVA_HOME/bin#./keytool -import -trustcacerts -alias AD01 -file $JAVA_HOME/bin/AD01.pem -keystore $JAVA_HOME/lib/security/jssecacerts
Note: The above command creates the jssecacerts file at $JAVA_HOME/lib/security. - Go to JMiniX console and type the login credentials:
Username: jmx-user
Password: sysadmin
- Go to servers -> 0 -> domains -> com.powerup.configmgr.server.config.jmx -> mbeans -> name=VoyenceControlConfig,type=JMXSystemConfig -> operations
- In the listAll operation, click Execute. In the CONFIG NAME column, look for 0.ldap.server.securityprotocol and 1.ldap.server.securityprotocol. You will change the values of these configuration names from none to ssl.
- To change the values of configuration names, follow these steps:
- In the setConfigItem operation,
- For p1, set the parameter value to config.security.ldap-auth
- For p2, set the parameter value to 0.ldap.server.securityprotocol
- For F, set the parameter value to ssl
- Click Execute.
- For the same setConfigItem operation,
-
For p1, set the parameter value to config.security.ldap-auth
- For p2, set the parameter value to 1.ldap.server.securityprotocol
- For p3, set the parameter value to ssl
- Click Execute.
- In the saveAll operation, click Execute.
- For p1, set the parameter value to config.security.ldap-auth
- In the setConfigItem operation,
- Change the port number in your Network Configuration Manager installation to communicate with LDAP/Active Directory server. To change the port number, follow these steps:
- Login to Network Configuration Manager as sysadmin.
- Go to System Administration > Global > User Management > Authentication Servers -> LDAP
- Change the port number to secure port number used in step 3.
- Click Apply.
- Click Close.
- Open file $VOYENCE_HOME/bin/service/ncm-as , and add parameters in the CATALINA_OPTS:
CATALINA_OPTS -Djavax.net.ssl.trustStore=$JRE_HOME/lib/security/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
For example:CATALINA_OPTS="-Djavax.net.ssl.trustStore=$JRE_HOME/lib/security/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Djava.awt.headless=true -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.host=127.0.0.1 -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.login.config=JmxConfig -Dcom.sun.management.jmxremote.access.file=$TOMCAT_HOME/conf/jmxremote.access -Dcom.sun.management.jmxremote.password.file=$TOMCAT_HOME/conf/jmxremote.password -Djava.util.Arrays.useLegacyMergeSort=true -Djava.rmi.server.useCodebaseOnly=true -Xms2048m -Xmx4096m -XX:+UseParallelGC -XX:NewRatio=2 -XX:+DisableExplicitGC -XX:+HeapDumpOnOutOfMemoryError -XX:+CMSClassUnloadingEnabled -XX:MetaspaceSize=512m -XX:MaxMetaspaceSize=1024m -Dorg.apache.activemq.broker.jmx.createConnector=false -Dorg.apache.activemq.SERIALIZABLE_PACKAGES=* -Djava.security.auth.login.config=$TOMCAT_HOME/conf/auth.conf -Djdk.tls.client.protocols=TLSv1.2 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true"
- Save the file.
- Run the command:
systemctl restart ncm-as
- Login to Network Configuration Manager using one of your LDAP/Active Directory server users.