This section describes how to set up LDAP server on Network Configuration Manager.

  1. Configure Network Configuration Manager to point to LDAP or Active Directory server
  2. Log into Network Configuration Manager as system administrator.
  3. Go to System Administration > Global > User Management > Authentication Servers > LDAP
  4. Enter your settings. Click Apply.
  5. In the left pane, go to User Management > System Users and add your LDAP/Active Directory users. Ensure that the User ID and Email fields match with what you have in the LDAP/AD server.
  6. Under Authentication Method, select External LDAP.
  7. Verify LDAP/Active Directory settings (optional)
  8. Logout of Network Configuration Manager.
  9. Login with an LDAP/Active Directory user credentials.
    Note:

    If you experience problems logging in, check the LDAP/Active Directory logs.

  10. Flip the secure switch on your LDAP/Active Directory server. Configure your LDAP/Active Directory server to use SSL. Make a note of the secure port number used by LDAP/Active Directory server.
  11. Retrieve the SSL certificate from LDAP/Active Directory server.
  12. Download InstallCert.java from internet to your desktop. If InstallCert.java is not available, skip to Step 16.
  13. Run the command,
    C:\Users\Administrator\Desktop>"%JAVA_HOME%\bin\javac" InstallCert.java
    C:\Users\Administrator\Desktop>"%JAVA_HOME%\bin\java" InstallCert LDAP-SERVERIP:<secure port>
  14. You will be prompted to enter certificate to add to trusted keystore. Press Enter.
  15. From your desktop, copy the file jssecacerts to NCM Application Server or Combination Server at $JAVA_HOME/lib/security.
    Note: Execute step 16 and 17, if steps 12 – 15 are not executed.
  16. On NCM Application Server or Combination Server, generate PEM file from LDAP server with below command:
    openssl s_client -showcerts -connect LDAP-SERVERIP/DNS:secure-port </dev/null 2>/dev/null|openssl x509 -outform PEM > LDAP_DNS.pem
    For example:
    openssl s_client -showcerts -connect AD01:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > AD01.pem
    Here AD01 is the LDAP server and 636 is the secure port.
  17. Go to $JAVA_HOME/bin and import the pem file to jssecacerts with below command::
    $JAVA_HOME/bin#./keytool -import -trustcacerts -alias LDAP_DNS -file <Path>/LDAP_DNS.pem -keystore $JAVA_HOME/lib/security/jssecacerts

    When prompted for password, enter "changeit".

    For example:
    $JAVA_HOME/bin#./keytool -import -trustcacerts -alias AD01 -file $JAVA_HOME/bin/AD01.pem -keystore $JAVA_HOME/lib/security/jssecacerts
    Note: The above command creates the jssecacerts file at $JAVA_HOME/lib/security.
  18. Go to JMiniX console and type the login credentials:

    Username: jmx-user

    Password: sysadmin

  19. Go to servers -> 0 -> domains -> com.powerup.configmgr.server.config.jmx -> mbeans -> name=VoyenceControlConfig,type=JMXSystemConfig -> operations
  20. In the listAll operation, click Execute. In the CONFIG NAME column, look for 0.ldap.server.securityprotocol and 1.ldap.server.securityprotocol. You will change the values of these configuration names from none to ssl.
  21. To change the values of configuration names, follow these steps:
    • In the setConfigItem operation,
      • For p1, set the parameter value to config.security.ldap-auth
        • For p2, set the parameter value to 0.ldap.server.securityprotocol
        • For F, set the parameter value to ssl
        • Click Execute.
        • For the same setConfigItem operation,
        • For p1, set the parameter value to config.security.ldap-auth

        • For p2, set the parameter value to 1.ldap.server.securityprotocol
        • For p3, set the parameter value to ssl
        • Click Execute.
        • In the saveAll operation, click Execute.
  22. Change the port number in your Network Configuration Manager installation to communicate with LDAP/Active Directory server. To change the port number, follow these steps:
  23. Login to Network Configuration Manager as sysadmin.
  24. Go to System Administration > Global > User Management > Authentication Servers -> LDAP
  25. Change the port number to secure port number used in step 3.
  26. Click Apply.
  27. Click Close.
  28. Open file $VOYENCE_HOME/bin/service/ncm-as , and add parameters in the CATALINA_OPTS:
    CATALINA_OPTS 
    -Djavax.net.ssl.trustStore=$JRE_HOME/lib/security/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
    For example:
    CATALINA_OPTS="-Djavax.net.ssl.trustStore=$JRE_HOME/lib/security/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Djava.awt.headless=true -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.host=127.0.0.1 -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.login.config=JmxConfig -Dcom.sun.management.jmxremote.access.file=$TOMCAT_HOME/conf/jmxremote.access -Dcom.sun.management.jmxremote.password.file=$TOMCAT_HOME/conf/jmxremote.password -Djava.util.Arrays.useLegacyMergeSort=true -Djava.rmi.server.useCodebaseOnly=true -Xms2048m -Xmx4096m -XX:+UseParallelGC -XX:NewRatio=2 -XX:+DisableExplicitGC -XX:+HeapDumpOnOutOfMemoryError -XX:+CMSClassUnloadingEnabled -XX:MetaspaceSize=512m -XX:MaxMetaspaceSize=1024m -Dorg.apache.activemq.broker.jmx.createConnector=false -Dorg.apache.activemq.SERIALIZABLE_PACKAGES=* -Djava.security.auth.login.config=$TOMCAT_HOME/conf/auth.conf -Djdk.tls.client.protocols=TLSv1.2 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true"
    
  29. Save the file.
  30. Run the command:
    systemctl restart ncm-as
  31. Login to Network Configuration Manager using one of your LDAP/Active Directory server users.