SSL-Enabling the eG Manager and AD Communication

If the AD server with which the eG manager integrates is SSL-enabled, then before attempting the integration, you will have to SSL-enable the eG manager and AD communication. The broad steps in this process are as follows:

  • Copy the SSL certificate of the AD server to the eG manager host,
  • Import the certificate to the eG manager.

The sub-sections that follow will discuss each of the steps above elaborately.

Copying the SSL Certificate of the AD Server to the eG Manager Host

To achieve this, follow the instructions furnished below:

  1. Login to any Windows host in the domain.
  2. Follow the menu sequence, Start -> Run, and enter mmc in the Run text box (see Figure 1).

    1

    Figure 1 : Executing mmc

  3. A snap-in Console will then appear (see Figure 2).

    2

    Figure 2 : The Snap-in Console

  4. Follow the File -> Add/Remove Snap-in menu sequence as depicted by Figure 3.

    3

    Figure 3 : Selecting the Add/Remove Snap-in option

  5. Figure 4 will then appear. Click the Add button in Figure 4 to add a snap-in.

    4

    Figure 4 : Clicking on the Add button

  6. Figure 5 will then appear displaying the list of standalone snap-ins. Select the Certificates option from the Available standalone snap-ins list, and click the Add button in Figure 5.

    5

    Figure 5 : Selecting the Certificates option

  7. This will invoke Figure 6 from which you need to select the Computer account option. Then, click the Next button to move on.

    6

    Figure 6 : Selecting the Computer account option

  8. When Figure 7 appears, indicate whether the AD server is located on the local host or on a remote computer. If the AD server is available on the local host itself, then, select the Local computer option followed by the Finish button. On the other hand, if the domain server exists on a remote computer, then indicate the name of the remote host in the Another computer text box and then click the Finish button.

    7

    Figure 7 : Indicating the location of the AD server

  9. Once the Finish button is clicked, Figure 8 will appear displaying the Certificates snap-in that was added.

    8

    Figure 8 : The Certificates snap-in that was added

  10. Click on the ok button in Figure 8. This will lead you back to the Snap-in Console, which now displays the Certificates snap-in that was added.

    9

    Figure 9 : The Snap-in Console displaying the Certificates snap-in that was added

  11. Next, expand the Console Root node in the tree-structure in the left panel of Figure 10, and then, expand the Certificates (Local Computer) sub-node. A Personal sub-node will then appear, which when expanded, will reveal the Certificates sub-node. Click on the Certificates sub-node to view the complete list of certificates on the domain server (see Figure 10)

    10

    Figure 10 : Viewing the certificates on the domain server

  12. Browse the list to identify the SSL certificate of the AD server. Once identified, attempt to export the certificate to the local host (i.e., the local host). For this purpose, select the certificate from the right-panel of Figure 10, right-click on the selection, choose the All Tasks menu, and pick the Export option (see Figure 11).

    11

    Figure 11 : Exporting the SSL certificate of the AD server

  13. Figure 12 will then appear welcoming you to the Certificate Export Wizard. Click the Next button in Figure 12 to continue exporting.

    12

    Figure 12 : The Certificate Export Wizard’s Welcome screen

  14. In Figure 13 that appears, click the Next button to continue.

    13

    Figure 13 : Clicking the Next button to continue

  15. Select the der encoded binary X.509 (.CER) option from Figure 14 as the export file format, and click the Next button to continue.

    14

    Figure 14 : Selecting the export file format

  16. Next, specify the name of the file you want to export and also indicate the directory to which the file is to be exported. You can use the Browse button in Figure 15 to specify the destination directory of the exported file.  Then, click the Next button in Figure 15 to continue.

    15

    Figure 15 : Specifying the name and destination of the exported file

  17. When Figure 16 appears, click the Finish button to complete the export procedure. Once the file is exported successfully, a message box displaying a message to this effect will appear.

    16

    Figure 16 : Finishing the export

  18. Finally, copy the exported file from the local Windows host to any folder on the eG manager host.

Importing the SSL Certificate to the eG Manager

The steps in this regard are as follows:

  1. Click the global Domain(s) node in the domain(s) tree of Figure 17. Then, click on the Install SSL Certificate button in the right panel.

    Figure 17 : Clicking the install SSL Certificate’ button

  2. A SSL Certificate Installation page then appears (see Figure 18).

    Figure 18 : The SSL Certificate Installation popup

  3. Here, specify the following:

    • Keystore Path: Specify the full path to the certificate file that the JDK used by the eG manager checks for trusted certificates
    • Alias name: Provide an alias name for the certificate being imported.
    • Keystore password: The default keystore password provided by Java is changeit. Provide this password against Keystore password.
    • Certificate Location: Specify the full path to the SSL certificate that was copied to the eG manager using the procedure discussed in Copying the SSL Certificate of the AD Server to the eG Manager Host. You can use the Browse button in Figure 18 to specify the path.
  4. Finally, click the Install button in Figure 18 to install the SSL certificate on the eG manager.
  5. In the same way, you can install many SSL certificates on the eG manager and enable its SSL communication with many domain servers in the target environment.
  6. You can view all the SSL certificates so installed by clicking the View SSL Certificate button in the right panel of Figure 17.

Uninstalling the SSL Certificate

At any given point in time, you can disable SSL communication between the eG manager and AD, by uninstalling the SSL certificate. The steps to be followed are:

  1. Click the global Domain(s) node in the domain(s) tree of Figure 17. Then, click on the Uninstall SSL Certificate button in the right panel.
  2. The Uninstall SSL Certificate page then appears.

    Figure 19 : Uninstalling the SSL Certificate from the eG manager

  3. Choose the Alias Name of the certificate to be uninstalled, and then click on the Uninstall button in Figure 19.

1 . Troubleshooting eG Integration with Active Directory

If you have difficulty in validating domain users or are unable to login to the eG manager as a domain user, do the following:

  1. Make sure that the eG manager is using jdk 1.5.
  2. Next, go to the command prompt on the eG manager host and do the following:

    • First, set the classpath of the eG manager using the following command:

      set classpath=<EG_INSTALL_DIR>\lib\eg_manager.jar;<eg_install_dir>\lib\jaas.jar;%classpath%

    • Next, execute the following command:

      java com.eg.KerberosAuthentication <EG_INSTALL_DIR>\manager\config\egAD_<domain>.ini <domainIP> <domainUser> <domainPass> <ValidUser> <UserBase>

      For example:

      java com.eg.KerberosAuthentication c:\egurkha\manager\config\egAD_chn.egurkha.com.ini 192.168.10.5 egtest egurkha2007 Raja DC=CHN,DC=EGURKHA,DC=COM

    • This command, upon execution, will report an exception if there is a problem connecting to the domain. If no connection errors have occurred, then an output similar to the sample output displayed below will appear.

      The target Domain IP Address = 192.168.10.5
      The connect username is = egtest
      The connect password is = xxxxxxxxxx
      The search username is = Raja2
      The userBase is = DC=CHN,DC=EGURKHA,DC=COM
      The logged in user is egtest@CHN.EGURKHA.COM
      0
      The logged in user is egtest@CHN.EGURKHA.COM
      false

      The penultimate line of the resulting output will display the logged in user name. The last line of the output will indicate whether the user name passed to the command above (i.e, <ValidUser>) is valid or not. If valid, you will find true in the last line, and if invalid, false will be displayed therein.