KB10063 Authentication using LDAP over TLS
- Artur Wójcik
KB ID: 10063
Product: vProtect
Version: 4.3.0
Published: 2021-12-27
Last modified: 2021-12-27
Problem
I want to be able to utilize AD to manage vprotect users and secure connections to AD using TLS, but my infrastructure uses self-signed certificates.
Solution
You need to export your CA certificate to a *.cer file (as shown in the picture). Choose DER binary format.
Upload your CA certificate to a vprotect-server machine and note the path to which it was uploaded. In this example, it will be uploaded to
/tmp/ca.cer
Next, you need to configure authentication in vprotect settings. A complete configuration description is available in the documentation. [1]
Make sure to enable the TLS option in the configuration.
Now you need to log in to your vprotect server using ssh. Once logged in as a root you need to add your CA to trusted certificates. To do this type the command which is shown below.
The default password to the cacerts keystore is changeit
[root@localhost ~]# keytool -import -file /tmp/ca.cer -alias YourAlias -cacerts
Enter keystore password:
Owner: CN=aw-WIN-HJJSFV6EGMF-CA-1, DC=aw, DC=lab
Issuer: CN=aw-WIN-HJJSFV6EGMF-CA-1, DC=aw, DC=lab
[redacted]
Trust this certificate? [no]: yes
Certificate was added to keystore
When asked if you trust this certificate type yes. Options meaning is as follows:
import - importing a certificate
file - provide the path to where the certificate file is
alias - human-readable name which will allow to recognise the certificate
cacerts - adding certificate to trusted CAs
To make sure the certificate was added to a proper keystore you can type the following command.
CentOS/Redhat
[root@localhost ~]# keytool -list -keystore /usr/lib/jvm/jre/lib/security/cacerts | grep YourAlias
SUSE Linux
[root@localhost ~]# keytool -list -keystore /usr/lib64/jvm/jre/lib/security/cacerts | grep YourAlias
Example proper output of the command in which you can see that the certificate with given alias was added and it is trusted.
[root@localhost ~]# keytool -list -keystore /usr/lib/jvm/jre/lib/security/cacerts | grep adca
Warning: use -cacerts option to access cacerts keystore
Enter keystore password: [redacted]
adca, Dec 27, 2021, trustedCertEntry,
If for some reason there is no certificate in the keystore it can be added specifying the cacerts file in the command line, see example command below.
The following commands will provide a warning that you should use -cacerts argument but you can safely ignore it.
CentOS/Redhat
[root@localhost ~]# keytool -import -file /tmp/ca.cert -alias YourAlias -keystore /usr/lib/jvm/jre/lib/security/cacerts
SUSE Linux
[root@localhost ~]# keytool -import -file /tmp/ca.cert -alias YourAlias -keystore /usr/lib64/jvm/jre/lib/security/cacerts
After adding the CA certificate to trusted CAs you can log in to the vprotect server using credentials from AD.