Sap Idm Vds Ssl for Ldap

SAP NetWeaver Identity Management

Virtual Directory Server

Using SSL for LDAP communication

Version 7.1 Rev 1

Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10,System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400,S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5,POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli andInformix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of AdobeSystems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented andimplemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, WebIntelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in thisdocument serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAPGroup shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products andservices, if any. Nothing herein should be construed as constituting an additional warranty.

i Copyright 2010 SAP AG. All rights reserved.

Preface

The productThe SAP NetWeaver Identity Management Virtual Directory Server can logically representinformation from a number of disparate directories, databases, and other data repositories in avirtual directory tree. Different users and applications can, based on their access rights, getdifferent views of the information.

Features like namespace conversion and schema adaptations provide a flexible solution that cancontinually grow and change to support demands from current and future applications, as wellas requirements for security and privacy, without changing the underlying architecture anddesign of data stores like databases and directories.

The readerThis manual is intended for people who are to use configure the Virtual Directory Server to useSSL either as an LDAP server accepting request from the clients, or when accessing its LDAPdata sources.

Prerequisite knowledgeTo get the most benefit from this manual, you should have the following knowledge:

? Knowledge about general use of the Virtual Directory Server.

The manualThis document describes how you configure the Virtual Directory Server to use SSL for LDAPcommunication.

Related documentsYou can find useful information in the following documents:

? SAP NetWeaver Identity Management Security Guide? SAP Notes? 1253778 SAP NetWeaver Identity Management 7.1

ii


iii


Table of contentsIntroduction .................................................................................................................................. 1Configuring the Virtual Directory Server as a server ................................................................. 2

Using SSL without client authentication ................................................................................................ 2Using SSL with client authentication..................................................................................................... 6

Configuring the Virtual Directory Server as a client .................................................................. 9Using SSL without client authentication ................................................................................................ 9Using SSL with client authentication................................................................................................... 12

Submitting a certificate to a certification authority (CA) ......................................................... 15Creating the certification request ......................................................................................................... 15Updating the self-signed certificate ..................................................................................................... 15Verifying your signed certificate ......................................................................................................... 16

iv


1IntroductionSAP NetWeaver Identity Management Virtual Directory Server Using SSL for LDAP communication


IntroductionThe Virtual Directory Server can use SSL (Secure Sockets Layer) both when accessing LDAPdata sources and when accepting LDAP requests from the clients. In the first case, the VirtualDirectory Server acts as a client towards these data sources, and in the second case, it is aserver.

The configuration depends on which scenario is to be supported. The Virtual Directory Serversupports SSL both as a server and as a client.

2Configuring the Virtual Directory Server as a server

SAP NetWeaver Identity Management Virtual Directory Server Using SSL for LDAP communication


Configuring the Virtual Directory Server as a serverWhen the Virtual Directory Server is deployed as an LDAP server, it can use SSL whencommunicating with the clients submitting LDAP requests. The Virtual Directory Server caneither be configured to request client authentication or not. The first section describes how toconfigure the Virtual Directory Server to use SSL without requesting client authentication. Thesecond describes how to request client authentication.

Using SSL without client authenticationThe Virtual Directory Server needs a keystore where the server certificate is stored. For testingpurposes, you can use a self-signed certificate, but in a production system, you will normallyuse a certificate signed by a certification authority (CA). The process of submitting a certificateto a certification authority is described on page 15.

Additionally, you must configure the LDAP deployment to use SSL and add the reference tothis keystore.

Adding the keystoreThe first step is to add the keystore:

1. Select "Keystore references" and choose New from the context menu:

Fill in the display name.

2. Choose "Create".

Enter the keystore path and the password.

3. Choose "OK".

3Configuring the Virtual Directory Server as a serverSAP NetWeaver Identity Management Virtual Directory Server Using SSL for LDAP communication


Adding the certificateThe next step is to add the server certificate. In this example we will add a self-signedcertificate, but normally this will be a certificate issued by a certification authority. See page 15.

1. Choose "Show" in the "New keystore" dialog box.

2. Choose "Add New Self-Signed Certificate".

Fill in the fields "Alias", "Distinguished name" and "Password".

Note:The distinguished name must be a valid LDAP distinguished name on the form key=value.

Note:The password must be the same as the password for the keystore.

3. Choose "OK" to close the dialog box.




4. Select the keystore and choose "View Certificate".

5. Choose "Copy to File" and select the file that will contain the certificate.

6. Choose "OK" twice to close the keystore and return to the "New keystore" dialog box.

7. Choose "OK" to close the "New keystore" dialog box.

Note:In case you are using a self-signed certificate, you need to submit this certificate to the clientsconnecting using SSL. They must import this certificate to their truststore.

Normally, you would get the certificate signed by a certification authority. See page 15.



Configuring the LDAP deploymentTo add an LDAP deployment:

1. Select "Deployments/LDAP deployments" in the configuration tree and choose New fromthe context menu.

Enable the deployment and fill in the fields "Log ID" and "Port number".

Note:The default SSL port number is 636. Some clients require that this port number is used.

Note:The Virtual Directory Server is not able to listen to the same port for SSL and non-SSLtraffic. If you need both, you must deploy two separate LDAP listeners with different portnumbers.

Select "Enable secure server" to enable SSL for this deployment.

Select the keystore you created in the "VDS server certificate" list.

2. Choose "OK".




Using SSL with client authenticationWhen enabling client authentication, the LDAP deployment requires a keystore containingclient certificates (or any certificate in the trusted certification path). You must obtain thiscertificate from the clients or a root certificate covering the clients' certificates.

Adding the keystore with client certificatesTo add the certificates:

1. Create the keystore as described in the previous section (page 2).

2. Choose "Show" in the "New keystore" dialog box.

3. Choose "Add Certificate".



Select the file containing the client certificate and choose "Open".

4. Choose "OK".

Enter an alias for the certificate.

5. Choose "OK" to return to the keystore.

6. Choose "OK" twice to close the keystore and the "New keystore" dialog box.




Configuring the LDAP deploymentThe LDAP deployment must be configured to require client authentication:

1. Create an LDAP deployment or open an existing deployment:

If necessary, configure the options of the LDAP deployment as described in the previoussection (page 2).

Select "Require client authentication".

Select the keystore containing the certificates used to verify the client certificates in the"SSL truststore" list.


9Configuring the Virtual Directory Server as a clientSAP NetWeaver Identity Management Virtual Directory Server Using SSL for LDAP communication


Configuring the Virtual Directory Server as a clientWhen the Virtual Directory Server accesses an LDAP data source, it can be configured to useSSL. If the LDAP server requires client authentication, this must be added to the data sourceconfiguration.

The first section describes how to configure a data source with SSL, but no clientauthentication. The second section describes how to add client authentication.

Using SSL without client authenticationFirst you must add a keystore containing the directory server's public certificate or one of thecertificates in the certification path. Additionally you must configure the data source to use SSL.

Creating the keystoreTo add a keystore with the server's public certificate:

1. Add a keystore as described on page 2.

2. Choose "Show" in the "New keystore" dialog box:

3. Choose "Add Certificate".

Select the file .der where the server's public certificate is stored.

10Configuring the Virtual Directory Server as a client



4. Choose "Open".

5. Choose "OK".

Enter an alias for the certificate.

6. Choose "OK".

7. Choose "OK" to return to the keystore.

8. Choose "OK" twice to close the keystore and the "New keystore" dialog box.



Configuring the data sourceThe SSL configuration is added to the data source properties.

1. View the properties of an existing data source or create an LDAP data source.

2. Select the "LDAP" tab:

Select "SSL" as "Security protocol".

Select the keystore you created as "Truststore".

Fill in the other parameters of the data source configuration.

3. Choose "OK".

You can now add the data source to a node in the virtual tree.




Using SSL with client authenticationIf the server requires client authentication, we have to add a keystore containing the certificateused for this authentication. The data source configuration must also be modified to includeclient authentication.

Creating the keystoreFirst, we create the keystore with the certificate that is used to authentication the VirtualDirectory Server when accessing the directory server. In this example we will add a self-signedcertificate, but normally this will be a certificate issued by a certification authority. See page 15.

Note:A keystore can contain only one private certificate. Normally, there will be one keystore usedfor this purpose, and each of the data source configurations will reference this keystore. If youneed to use different private keys, each key has to be stored in a separate keystore, and you mustreference the correct keystore from the data source configuration.

1. Add a keystore as described on page 2.

2. Choose "Show" in the "New keystore" dialog box:



3. Choose "Add New Self-Signed Certificate".

Fill in the fields "Alias", "Distinguished name" and "Password".

Note:The distinguished name must be a valid LDAP distinguished name on the form key=value.

Note:The password must be the same as the password for the keystore.


5. Select the keystore and choose "View Certificate":

6. Choose "Copy to File"

Choose a location and a name for the .der file.

7. Choose "OK" twice to close the keystore and return to the "New keystore" dialog box.

8. Choose "OK" to close the "New keystore" dialog box.

Note:This certificate must be imported to the directory server's truststore.




Configuring the data sourceThe data source configuration must include a reference to this keystore.

1. Create an LDAP data source or configure an existing data source:

Select the keystore created in the previous section in the "Keystore" list.

2. Choose "OK".

15Submitting a certificate to a certification authority (CA)SAP NetWeaver Identity Management Virtual Directory Server Using SSL for LDAP communication


Submitting a certificate to a certification authority (CA)For testing purposes it can be practical to use a self-signed certificate, but in a productionsystem, you will use a certificate that is signed by a certification authority (CA). The followingsection describes how you submit a self-signed certificate to be signed by a CA.

Creating the certification requestYou use the keytool utility (that is part of your Java installation) to create a certification requestthat can be submitted to the certification authority. Normally, the CA has a service where youcan submit the certification request through their web site.

The keytool utility is normally located in the \bin folder. The keystore mustcontain a self-signed certificate.

To create the certification request:

1. Open a command prompt in the folder where keytool is located and execute the followingkeytool command:

keytool -v -certreq -alias -file -keypass -keystore -storepass

where

The alias you used when you created the self-signed certificate.

Path to the keystore containing the certificate.

Password to the keystore.

The certificate password.

The name of the file that will contain certification request.

2. The result of this operation is a file, given by , which may look likethis:

-----BEGIN NEW CERTIFICATE REQUEST-----MIICFTCCAdMCAQAwEDEOMAwGA1UEAxMFdGVzdDEwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhQACgYEAqclBzsriJTzMPI4p1qnKEKLlD4ec0g6a5DwOqStfnL9JBOhYKSKwrvGRIdZ3cH65B/iXO0R9JSGGxXJDJyeeCYCG7Q+fyfxmZXjPHf8FlJLvutL86GF1Y0IBFb2rcKxHdh6hZRrSUSXP32+zh149hlz/mzoBgTwMNMlZ+zLJycqgADALBgcqhkjOOAQDBQADLwAwLAIUPYH/cCrlrnM023DBv7Sn+DJNLR8CFDRwZPkNMeMfMpQYJoRxNSzWM3nX-----END NEW CERTIFICATE REQUEST-----

3. Submit this file to the certification authority.

Updating the self-signed certificateThe certification authority signs your certificate and returns it to you as a certification responsefile. You use the keytool utility to process this response file.

16Submitting a certificate to a certification authority (CA)



Note:The certification authority may respond with several files. Use the one with the p7b extension.

To update the original self-signed certificate:

1. Execute the following keytool command:keytool -v -import -alias -file -keypass -keystore -storepass

where

The alias you used when you created the certificate.

Path to the keystore.

Password for the keystore.

The certificate password.

The name of the file that contains the certificate response.

2. Answer "Yes" to confirm that you want to install the certificate.

Verifying your signed certificateYou can now verify the signed certificate:

1. Open the keystore.

2. Select the certificate and choose "View Certificate".

3. Select the "Certification Path" tab.

4. Verify that the chain of certificates starts with the certification authority's certificate, andthat the original certificate is in the chain.

SAP NetWeaver Identity Management Virtual Directory Server Using SSL for LDAP communicationPrefaceTable of contentsIntroductionConfiguring the Virtual Directory Server as a serverUsing SSL without client authenticationAdding the keystoreAdding the certificateConfiguring the LDAP deployment

Using SSL with client authenticationAdding the keystore with client certificatesConfiguring the LDAP deployment

Configuring the Virtual Directory Server as a clientUsing SSL without client authenticationCreating the keystoreConfiguring the data source

Using SSL with client authenticationCreating the keystoreConfiguring the data source

Submitting a certificate to a certification authority (CA)Creating the certification requestUpdating the self-signed certificateVerifying your signed certificate

Documents

Sap Idm Vds Ssl for Ldap