Pivotal Knowledge Base

Follow

How to Enable Pulse Authentication with LDAP over SSL (LDAPS)

Environment

 Product  Version
 Pivotal GemFire  7.x and 8.x

Purpose

This document explains how to enable SSL for OpenLDAP server, and how to enable Pulse Authentication with LDAP over SSL (LDAPS).

Prerequisites 

1. You have setup Open LDAP or other Directory Service successfully.

2. You have setup Gemfire with Pulse successfully.

3. In this case, we use OpenSSL to generate trustore and keyfile, so you also need to install OpenSSL.

Procedure 

1. The process of configuring SSL/TLS for OpenLDAP server is as follows:

  1. Create the self-signed certificate with a public key in PEM format (X.509v3 which contains Base64 encoding) and private key file, as shown in example below:

    [root@centos7v64 cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/myexampleldap.pem -keyout /etc/pki/tls/certs/myexampleldapkey.pem -days 365
    Provide your company details to generate the certificate as below.
    Country Name (2 letter code) [XX]:JP
    State or Province Name (full name) []:Tokyo
    Locality Name (eg, city) [Default City]:Tokyo
    Organization Name (eg, company) [Default Company Ltd]:Myexample
    Organizational Unit Name (eg, section) []:GSS
    Common Name (eg, your name or your server's hostname) []:centos7v64.myexample.com
    Email Address []:root@centos7v64.myexample.com
    
  2. Configure olcTLSCertificateFile and olcTLSCertificateKeyFile for OpenLDAP server.

    Go to cn=config directory under /etc/openldap/slapd.d/ and edit the "olcDatabase={2}hdb.ldif" adding olcTLSCertificateFile/olcTLSCertificateKeyFile.
    
    [root@linux1 ~]# cd /etc/openldap/slapd.d/cn=config
    [root@linux1 cn=config]# vi olcDatabase={2}hdb.ldif
    
    olcTLSCertificateFile: /etc/pki/tls/certs/myexampleldap.pem
    olcTLSCertificateKeyFile: /etc/pki/tls/certs/myexampleldapkey.pem
    
  3. Enable LDAP SSL Port (default is 636) and restart the OpenLDAP server to apply the change.

    [root@dlp ~]# vi /etc/sysconfig/slapd
    # line 9: add Server Port Option
    SLAPD_URLS="ldapi:/// ldap:/// ldaps:///
    
    [root@dlp ~]# systemctl restart slapd
    

    Note: You can use Apache Directory Studio to create an LDAPS connection to verify whether the above setting is working or not.

2. Enable Pulse Authentication with LDAPS (Pulse running embedded mode).

  1. Create a directory in which you will store the LDAP authentication configuration which will be provided as a parameter when starting the locator running Pulse. For example:
    $ mkdir /home/apps/pulse-config
  2. Create a file named pulse-authentication-custom.xml with contents similar to the following and place it under the directory (pulse-config) you created in step 1. For example:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
       	xmlns:beans="http://www.springframework.org/schema/beans"
       	xmlns:context="http://www.springframework.org/schema/context"
       	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       	xsi:schemaLocation="http://www.springframework.org/schema/beans
       	http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                   http://www.springframework.org/schema/security
                   http://www.springframework.org/schema/security/spring-security-3.1.xsd
                   http://www.springframework.org/schema/context
       	http://www.springframework.org/schema/context/spring-context-3.2.xsd">
       	
            <ldap-server url="ldaps://centos7v64.myexample.com:636/dc=myexample,dc=com" />
    
            <authentication-manager>
               <ldap-authentication-provider user-dn-pattern="uid={0},ou=users"  
                group-search-base="cn=PULSEUSER,ou=groups" group-search-filter="uniqueMember={0}">
               </ldap-authentication-provider>
           </authentication-manager>
     
    </beans:beans>

    The above setting is located in the below user/group composition on the OpenLDAP server.

    dn: uid=puser1,ou=users,dc=myexample,dc=com
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    cn: pulse user1
    sn: user1
    uid: puser1
    userPassword:: cGl2b3RhbA==
    
    dn: uid=padmin1,ou=users,dc=myexample,dc=com
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    cn: pulse admin1
    sn: admin1
    uid: padmin1
    userPassword:: cGl2b3RhbA==
    
    dn: cn=PULSEUSER,ou=groups,dc=myexample,dc=com
    objectClass: top
    objectClass: groupOfUniqueNames
    cn: PULSEUSER
    uniqueMember: uid=puser1,ou=users,dc=myexample,dc=com
    uniqueMember: uid=padmin1,ou=users,dc=myexample,dc=com
    
  3. Add [spring.profiles.active] system property and [pulse-config] path for gfsh classpath parameter to JMX manager starting gfsh script. For example:
    gfsh start locator --name=locator --port=7900 --dir=locator --J=-Dspring.profiles.active=pulse.authentication.custom --classpath=/home/apps/pulse-config
    
  4. Import LDAPS server's certificate (Public certificate) into java cacerts on the host hosting Pulse. For more details, you can also refer this article.
    keytool -import -file /home/apps/myexampleldap.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
    
  5. Restart the Gemfire cluster, start Pulse, and log in using credentials that are authorized in the LDAP configuration.

 Additional Information

 

Comments

Powered by Zendesk