Tech Document Title: How to set up SSL between CA SiteMinder Web Access Manager - SiteMinder Policy Server and Active Directory (AD) Description: The document describes how to setup an encrypted communication channel between the CA SiteMinder Web Access Manager - Policy Server and the Domain Controller hosting the Active Directory (AD) to be integrated as User Data Store. The SiteMinder policy server can be configure to communication to the backend systems two different ways: 1. LDAP namespace (SUN LDAP SDK v5.0.8) 2. AD namespace (Microsoft SDK for communications) A. LDAP namespace: SiteMinder requires the certificate to be in a Netscape version file format (cert7.db), do not use Microsoft Internet Explorer to install the certificate. Two methods: 1) A Old Netscape 4.7 browser to update cert7.db: a) SiteMinder Policy Server requires that the Root CA cert for the Issuer that signed the LDAP server cert, in this case AD, be added to a cert7.db file which it reads to trust the LDAPS connection coming from the LDAP server. b) Get the Root CA cert from the issuer. From the AD machine, grab the file in C:\ called "machine.mycompany.com_machine.mycompany.com.crt" c) Using a Netscape 4. 7 browser add the Root CA cert to its trusted list of Certificate Authorities. This is typically done by using the option to open a file in the Netscape browser. When you open the Root CA cert file you should be asked to place it in its Root CA database. When you are done validate that it did get put into the Root CA list. d) Next close the browser and locate the cert7.db and key3.db pair that the Netscape Browser uses, it should have a recent Timestamp. e) Copy the cert7.db and key3.db file pair to the SiteMinder Policy Server. In SiteMinder's SM Console locate the >>> "Netscape Certificate Database file option and reference the cert7.db file and be sure the key3.db file is in the same directory. f) You should now be able to connect over LDAPS for both User Directories and Policy Stores. 2) Download nss-3.3.2 and use it to update cert7.db - Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. NSS is available under the Mozilla Public License, the GNU General Public License: http://www.mozilla.org/projects/security/pki/nss/ a) Example of usage: Add/List certificates in the database (cert7.db) Add nss bin and lib to the environment path D:\nss-3.3.2\bin;D:\nss-3.3.2\lib Navigate to the cert7.db Example: D:\nss-3.3.2\cert-databases> To add a certificate to the database (cert7.db) get the PEM cert first then run D:\nss-3.3.2\cert-databases\certutil -A -n ps2-root-ca -t "C,C,C" -i CAcert.pem -d. List all certificate in the cert7.db: certutil -L -d. Certificate Name ps2-root-ca Trust Attributes C,C,C c Valid CA C Trusted CA to certs(only server certs for ssl) (implies c)
B. AD namespace: The advantages of using the AD namespace when configuring an Active Directory user store include: SSL connectivity using a native Windows certificate database. Note: Both the Policy Server and the systems hosting Active Directory user stores must have an established trust. For information about configuring Windows systems and Active Directory for SSL, see your Windows documentation. Support for native Windows SASL which allows for secure LDAP bind operations. Support for native Windows SASL which allows for secure LDAP bind operations. The disadvantages include: No support for enhanced LDAP referrals. No support for LDAP paging and sorting operations When authenticating against an AD namespace, the Policy Server binds to Active Directory using SASL. If a user's common name (CN) is different from the user's Windows logon name, the user can still authenticate even if the EnableSaslBind registry setting exists on the Policy Server machine. The EnableSaslBind setting is a DWORD registry key that you can set to 0 or 1: HKLM\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider\EnableSaslBind This setting disables or enables the SASL protocol while authenticating users. For example, if EnableSaslBind does not exist and you configure this setting to 1, the bind occurs with SASL. If EnableSaslBind exists and you configure this setting to 0, the bind occurs with Simple Authentication mechanism. Using Microsoft Certificate Server 1. Download the CA Root Certificate Download the MS root cert from the certificate server's web server URL, e.g. https://fqdn/certsrv Click Download a CA certificate, certificate chain or CRL
Select DER and then click Download CA certificate. Then save the CA in a temp directory and keep the default name certnew.cer. Import certnew.cer into the Policy servers Trusted Root Certification Authorities Start Run MMC (starts Microsoft s Management Console) File Add/Remove Snap-in Add Select Certificates Check Computer account Local Open/Navigate to Certificates under Trusted Root Certification Authorities Right click Certificates All Tasks Import Navigate/select the saved certnew.cer, use default options to import
2. Configure the SSL user store in the Admin UI as described in the documentation for AD Namespace Important: 1. For Enhance Active Directory Integration and SiteMinder password services to function properly you MUST define in the LDAP Search root as the base of the Active directory/defaultnamingcontext (example: dc=ps,dc=com)
2. If a user's common name (CN) is different from the user's Windows logon name, the user can still authenticate, but if you run in Authenticated User s Security Context you may see the following message in the smps.log. Info message: NetBIOS and UPN are not fetched. If the Policy Server is on Windows with AD as user directory the IIS Authentication may fail