Avaya one X Portal 1.1.3 Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) Configuration This document provides configuration steps for Avaya one X Portal s 1.1.3 communication with Active Directory using LDAP over SSL (also known as LDAPS). This configuration is an extension of an internal document for Avaya one X Portal 1.0 LDAPS configuration, with changes reflecting enhancements in WebSphere. Avaya one X Portal must be installed using LDAP, and then WebSphere must be configured with the Active Directory CA authority certificate to communicate using SSL. NOTE: For Avaya one X Portal 1.1.3, code changes were made to allow the LDAP communication to use SSL. Therefore, these instructions are not guaranteed to work on earlier versions of Avaya one X Portal. Active Directory SSL Configuration Most of what is here can found on several web pages for Microsoft. This section is almost completely copied from earlier Avaya one X Portal documentation. The following steps take you through an Active Directory configuration to enable communication using SSL. Prerequisites: The expected infrastructure: Certificate Authority installed on an Windows 2003 server Active Directory on a Windows 2003 server Obtaining a root certificate 1. Use a browser to go to the certificate authority web page. The URL is: http://<ca server>/certsrv When prompted for a user service and a password, use an account with Administrator
privileges on the CA server. 2. Click Download a CA certificate, certificate chain, or CRL. 3. Select Base 64, and then click Download CA certificate. 4. Use your browser s download function to save the certificate as a file with a.cer extension. Note: All root certificates from the same certificate authority are functionally the same. You can download a certificate once and use it repeatedly, until it expires. Opening the certificate manager 1. Navigate to Start > Run > mmc 2. On File > Add/Remove Snap in, Click Add. 3. Select Certificates and click Add 4. Select a computer account and click Next. 5. Select a local computer and click Finish. 6. Click close on the Add Standalone Snapin dialog. 7. Click OK on the Add/Remove Snap in dialog Installing the root certificate for the Certificate Authority (CA) 1. On the left side, navigate to the Certificates (Local Computer)\Trusted Root Certificate Authorities\Certificates folder 2. Select Action > Tasks > Import 3. In the Certificate Import Wizard, Click Next. 4. Click Browse, select the root certificate file, and click Open. 5. Click Next. 6. Select Place all certificates in the following store, 7. Click Browse, select Trusted Root Certificate Authorities, click OK 8. Click Next. 9. Click Finish. 10. On the right side, select the new certificate you just imported. 11. Select Action > Properties. 12. Enter a name that identifies the CA.
13. Click OK Generating a policy file for the Domain Controller on the DC machine 1. Obtain a copy of the reqdccert.vbs script. This can be found on the web at several locations. 2. From the command prompt, execute the script (Enter reqdccert.vbs ) 3. Verify that the following files have been created: <dc name>.inf, <dc name> req.bat, <dc name> vfy.bat. Editing <dc name>.inf with a text editor 1. Under the line that says [NewRequest], add a line: Subject= CN=<dc fqdn> where <dc fqdn> is the fully qualified domain name of the DC. For example: Subject= CN=chrndex01.CHEXPM.usae.avaya.com You can get the DC s FQDN from Start > Control Panel > System > Computer Name, where it is displayed as Full Computer name. Do not forget to add the prefix DN= and put the whole subject in quotes. 2. Delete the line that says Critical=2.5.29.17. (WebSphere does not recognize this extension.) 3. Save the file Creating the Certificate request on the Domain Controller 1. In the directory where the <dc name>.inf is located, execute the command: certreq new <dc name>.inf <dc name>.req 2. Copy the <dc name>.req and <dc name> req.bat file to the CA machine Creating the domain controller certificate 1. Open the command prompt, and go to the directory to where the files were copied. 2. Execute the BAT file: <dc name> req 3. When prompted to select a CA, select the CA and press OK. The script will ask you to save a file <dc name>.cer. 4. Log in to the CA, and open the Certification Authority application. This is usually under Start > Administrative Tools > Certification Authority. 5. Navigate to the Pending Requests folder. 6. Accept the request for <dc name>. 7. Navigate to the Issued Certificates folder. 8. Open the new Certificate. 9. Navigate to the detail tab, and click Copy to file; choose to export a Base 64.CER file, and export the file. Installing the Domain Controller Certificate on the Domain Controller 1. Copy the.cer file from the CA to the DC machine.
2. In the directory where the <dc name>.cer file is located, execute the command certreq accept <dc name>.cer. 3. Open the certificate manager for the local system (as described above). 4. On the left side, navigate to the Certificates (Local Computer)\Personal\Certificates folder. 5. Make sure the certificate is installed. 6. Optionally, rename the certificate (for example: Enable LDAPS). 7. Reboot the Domain Controller. WebSphere configuration Once you configure Active Directory for LDAPS, you can configure WebSphere for LDAPS, using WebSphere s IBM Console. 1) Log in to IBM s console using the administrative credentials (the credentials used when installing Avaya one X Portal). The address for the IBM s administrative console is: https://<onexportalmachine>:9043/ibm/console 2) Under the Security section, select SSL certificate and key management 3) Navigate to Key stores and certificates > NodeDefaultTrustStore > Signer certificates and click the Retrieve from port button 4) Enter the Host, Port and Alias information. The Host is the IP Address of you DC machine, and the port is the port for the LDAPS service (port 636 by default). 5) Click the Retrieve signer information button. 6) Select OK, and save the configuration. 7) Make sure that you can connect to the LDAP server by using the IBM Console to verify the connection. This test does not use Avaya one X Portal code, so it is a good validation for the environment setup. a. While still on the IBM Console site, go into the Security > Secure administration, applications, and infrastructure. If your system is already setup to talk to a single AD
environment, the Available realm definitions option should already be set to Standalone LDAP registry. b. Click the Configure button. c. Configure the parameters for your Active Directory; you do not need to save any information now. If the system is already configured to talk to the Active Directory, change the Port to be 636, and the SSL Settings to have SSL enabled. d. Click the Test connection button. If everything is right, the test should be successful. e. Log out of IBM Console. Do not change the configuration here, since changing the configuration on Avaya one X Portal will also change this configuration.
Avaya one X Portal for LDAPS configuration The Avaya one X Portal configuration is part of this setup. 1) Log in to Avaya one X Portal Admin client: https://<onexportalserver>:9443/1xp/admin 2) Select System > Enterprise Directory. Select the domain for which you need to set the LDAPS configuration. 3) Change the port to 636 and the select Secure Port. 4) Save the configuration. 5) Restart Avaya one X Portal.