Tag: Active Directory

Categories
Knowledge Support Support exacqVision Server Categories Products

Configuring SSL on an exacqVision Server for Active Directory/LDAP (Windows)

exacqVision 7.2 and higher:

Check the box labeled “Use SSL” on the “ActiveDirectory/LDAP” configuration page, then press “Apply”.
<br>

exacqVision prior to 7.2:

This article contains procedures for configuring SSL on exacqVision servers. These steps are necessary if you want Active Directory operations to be made more secure by use of SSL on the exacqVision server.

While there are a number of ways that you can generate, install, and manage certificates in order to use SSL, this document will only describe one of the easiest ways to do so. You can simply export the trusted root certificate that already exists in your Active Directory domain, install it on each of your exacqVision Servers, and thereby enable SSL for successful operations. This article will give you step-by-step instructions on how to do this.

<br>

Export Trusted Root Certificate for Your Domain

  1. Log in to any Windows workstation that has already been added to your domain. You must have at least local admin permissions.
  2. Start the Microsoft Management Console (mmc.exe).
  3. If you haven’t already, add the Certificates snap-in:

    a) On the File menu, click Add/Remove Snap-In.
    b) Select Certificates and click Add.
    c) When prompted, select the option to manage certificates for your user account (instead of the service or computer account).
    d) Click Finish.
    e) Click OK to complete this step.
  4. Expand Certificates – Current User in the left pane.
  5. Expand Trusted Root Certification Authorities.
  6. Select the Certficates folder to display your workstation’s currently installed CA certificates. The Issued To field should contain something similar to mydomain-ROOT-CA, where mydomain is your domain name.
  7. Select that Issued To entry, and then right-click All Tasks and select Export.
  8. In the Certificate Export Wizard, select the format choice of Base-64 encoded binary X.509 (.CER). Save it to a local .cer file that you can relocate later. You will then install this same certificate file on every exacqVision Server for which you intend to use SSL.

<br>

Certificate Database Location on exacqVision Server

Whenever exacqVision Server attempts to connect to an Active Directory server, it creates the following files in the installation directory, if necessary:

  • cert8.db
  • key3.db
  • secmod.db

In the exacqVision Server installation directory on any exacqVision Server, the following command shows all certificates, including all trusted root certificates, that you have made available to that exacqVision Server for connecting to the directory via SSL:

certutil -L -d .
<br>

Import Trusted Root Certificate into Each exacqVision Server

  1. On the actual exacqVision Server, copy your trusted root certificate to the server’s installation directory.
  2. If you have not already verified your exacqVision Server’s LDAP configuration with SSL disabled, do this now. This will create your certificate database files if they do not already.
  3. From within the server’s installation directory, execute the following command as local admin:

certutil -A -n “my domain ca cert” -t “C,C,C” -a -i my_cert_file.cer -d .

where my_cert_file.cer represents your trusted root certificate file, and my domain ca cert represents the name by which you want this certificate to be known in the database.

  1. If you get a certutil error similar to “error converting ascii to binary,” try re-exporting your certificate. You might not have correctly selected the “base-64 encoded” format option as indicated.
  2. If you do not get any error messages, then your trusted root certificate should have been successfully imported into your certificate database. Verify by then executing this command:

certutil -L -d .

  1. If your certificate was successfully imported, you will see something similar to “my domain ca cert” and “C,C,C.
  2. On your exacqVision Server, run exacqVision Client and open the Active Directory/LDAP tab. Select the SSL checkbox (the port should automatically change to 636), and click Apply. Your exacqVision Server should then reconnect to your Active Directory domain controller.

NOTE: The attached article is an older document pertinent to using SSL for communication with an Active Directory or LDAP server.

<br>

Configuring-SSL-on-an-exacqVision-Server-for-Active-Directory-LDAP-Windows-1.pdf
Categories
Knowledge Support Support exacqVision Client Categories Products

MacOS & Mac OS X Client and Active Directory/OpenLDAP/Kerberos

Configuration

The following process allows you to configure ExacqVision permissions and privileges for accounts that exist on an Active Directory/OpenLDAP/Kerberos (directory) server.

NOTE: On a Windows platform, the domain controller must run on Windows Server 2003 operating system or later. If the Active Directory functional level is Windows 2000 or earlier, you must select Password Never Expires in the Active Directory Users and Computers snap-in for any user that will connect to an ExacqVision server.

  1. Note the fully qualified host name (hostname.primary-dns-suffix) and IP address of the ExacqVision server computer, the directory domain, and the fully qualified host name and IP address of the directory server. For example:
        evserver.exacq.test.com        192.168.1.16<br>
        EXACQ.TEST.COM<br>
        adserver2016.exacq.test.com    192.168.1.70<br>
  1. Make sure the fully qualified host names of the directory server and ExacqVision server can be resolved. To do this, open a terminal window, ping the fully qualified host names, and look for a reply. Make sure the IP addresses match the IP addresses of the servers as noted in the previous step.

    NOTE: If the fully qualified host names cannot be resolved for either server, configure your hosts file with the fully qualified host names, as in the following example:
        /etc/hosts<br>
        192.168.1.16        evserver.exacq.test.com<br>
        192.168.1.70        adserver2016.exacq.test.com<br>
  1. Configure Kerberos (KRB5) by completing the following steps:
  1. Execute Kerberos.app from /System/Library/CoreServers
  2. From the menu, select Edit and then Edit Realms.
  3. In the Edit Realms dialog, click the plus (+) button, and enter the Realm Name in upper case.
  4. Select the Servers tab, click the plus button (+), and enter the IP address or fully qualified domain name of the directory server. Leave KDC as the Type and 88 as the Port.
  5. Click Apply and OK to exit.
  6. Click New.
  7. Enter the username and password for the directory account. To avoid entering the password again after the ticket expires, select Remember This Password in My Keychain.
  8. Make sure the Realm entered earlier in this step is selected from the drop-down list.
  9. Click OK.
  10. If the connection is successful, select the new ticket and click Destroy.
  1. On the ExacqVision Client computer, download and install the ExacqVision software from Exacq.com.

Connecting to ExacqVision Servers

You can connect to your Enterprise ExacqVision servers from the MacOS ExacqVision Client software in any of the following ways:

  • You can use a local ExacqVision Username and Password
  • You can always use your system login without having to enter a Username or Password. In this case, leave the Username and Password empty on the Add Systems page, select ‘Use Single Sign-On’, and click Apply. A pop-up window will prompt you to enter your Kerberos password, which is the same as your domain password.

Adding ExacqVision users from the directory database

When the ExacqVision server is appropriately configured and connected to your directory server, the Users page and the Enterprise Users page each contain a ‘Query LDAP’ button that allows you to search for users or user groups configured in the directory. You can manage their ExacqVision server permissions and privileges using the ExacqVision Client the same way you would for a local user. On the System Information page, the Username column lists any connected directory users along with their directory origin (whether each user was mapped as an individual user or part of a user group) in parentheses.

<br>

Mac-OS-X-Client-and-Active-Directory-OpenLDAP.pdf