No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Can I Configure the SSL Certificate Used for Interconnecting eSight with the LDAP Server

How Can I Configure the SSL Certificate Used for Interconnecting eSight with the LDAP Server

Question

How can I configure the SSL certificate used for interconnecting eSight with the LDAP server?

Answer

When eSight uses a secure connection to interconnect with the LDAP server, you need to apply for a certificate from a Certificate Authority (CA) organization or prepare a self-created certificate, and import the certificate to the LDAP server and eSight.

Secure connections provide one-way authentication and two-way authentication modes. If one-way authentication is used, eSight only needs to have the CA certificate of the LDAP server deployed. If two-way authentication is used, eSight needs to have the CA certificate and identity certificate of the LDAP server deployed. Perform related operations based on the actual LDAP server.

  • Windows AD server

    By default, Windows AD does not support SSL. To support secure connection to eSight through SSL, you need to install the CA certificate.

    1. Add the AD certificate services.
      1. Log in to the LDAP server as an operating system user in the Administrators group.
      2. Right-click Computer, and choose Manage from the shortcut menu. The Server Manager page is displayed.
      3. Right-click Roles and choose Add Roles from the shortcut menu in the navigation tree.
      4. In the displayed dialog box,click Server Roles, select Active Directory Certificate Services,and click Next.
      5. Take all default settings for the following steps and click Install.
    2. Issue a server identity authentication certificate.
      1. On the Server Manager page, choose Roles> Active Directory Certificate Services > man-SZX1000068260-CA.
      2. Right-click Certificate Templates and choose Manage from the shortcut menu.
      3. In Certificate Templates Console, right-click Kerberos Authenticationand choose Duplicate Template from the shortcut menu.
      4. In the Duplicate Template dialog box, ensure that Windows Server 2003 Enterprise is selected and click OK.
      5. In the Properties of New Template dialog box, select the settings such as Publish certificate in Active Directoryand Allow private key to be exported. Then, click OK.
      6. On the displayed Server Manager page, right-click Certificate Templatesand choose New > Certificate Template to Issue from the shortcut menu.
      7. In the Enable Certificate Templatesdialog box, select the created template and click OK.
    3. Register the certificate.
      1. Choose Start > Run on the desktop, enter MMC, and press Enter.
      2. On the Console page, choose File > Add/Remove Snap-ins.
      3. In Available snap-ins under Add or Remove Snap-ins, select Certificates and click Add.
      4. In the displayed dialog box, select Computer account and click Next.
      5. In the displayed Select Computer dialog box, select Local computer and click Finish.
      6. In the displayed Add or Remove Snap-ins dialog box, click OK.
      7. In the Console navigation tree, unfold Certificates (Local Computer) and choose Personal.
      8. Right-click Certificates and choose All Tasks > Request New Certificatefrom the shortcut menu.
      9. In the Certificate Enrollment dialog box, click Next.
      10. In the Select Certificate Enrollment Policy dialog box, select Active Directory Enrollment Policy and click Next.
      11. Select a certificate and allow it to be used for server identity authentication and Kerberos' duplicate template, that is, the template created in step .b.iii. Then, click Register.
      12. In the Certificate Enrollment dialog box, click Finish.
    4. Export the authentication certificate.
      1. In the Console navigation tree, unfold Certificates (Local Computer) and choose Personal.
      2. Right-click the newly registered authentication certificate and choose All Tasks > Export from the shortcut menu.
      3. In the Certificate Export Wizard dialog box, click Next.
      4. iv. Select Yes, export the private key and click Next.
      5. Select Export all extended properties and click Next.
      6. Set a password that needs to be entered when a certificate is imported, and click Next.
        NOTE:

        Keep the configured password properly because it will be used when setting interconnection parameters on eSight.

      7. In File name, enter the path, file name, and file name extension(.pfx), and click Next.

        Example: D:\windowsAD.pfx

      8. Click Finish.
    5. Export the CA root certificate.
      1. In the Console navigation tree, unfold Certificates (Local Computer) and choose Personal.
      2. Right-click the CA root certificate and choose All Tasks > Export from the shortcut menu.
      3. In the Certificate Export Wizard dialog box, click Next.
      4. Select No, do not export the private keyand click Next.
      5. Select DER encoded binary X.509 (.CER) and click Next.
      6. Set a password that needs to be entered when a certificate is imported, and click Next.
        NOTE:

        Keep the configured password properly because it will be used when setting interconnection parameters on eSight.

      7. In File name, enter the path, file name, and file name extension(.cer), and click Next.

        Example: D:\huawei.cer

      8. Click Finish.
    6. Import the certificate.
      1. On the Console page, choose File > Add/Remove Snap-ins.
      2. In Available snap-ins under Add or Remove Snap-ins, select Certificates and click Add.
      3. In the displayed dialog box, select Service account and click Next.
      4. In the displayed Select Computer dialog box, select Local computer and click Next.
      5. In the Certificates snap-in dialog box, select Active Directory Domain Services and click Finish.
      6. In the displayed Add or Remove Snap-ins dialog box, click OK.
      7. In the Console navigation tree, unfold Certificates (Active Directory Domain Services), right-click NTDS\Personal,and choose All Tasks > Import from the shortcut menu.
      8. In the Certificate Import Wizard dialog box, click Next.
      9. Click Browse and find the exported authentication certificate file.
      10. Enter the password that is set when the authentication certificate is exported, and click Next.
      11. Ensure that Place all certificates in the following store is set to NTDS\Personal. Then, click Next.
      12. Check the settings and click Finish.
      13. In the Console navigation tree, choose NTDS Personal > Certificates, right-click the imported certificate, and choose Open from the shortcut menu.
      14. On the Details tab in the Certificate dialog box, click Enhanced Key Usage, check the server identity (1.3.6.1.5.5.7.3.1), and click OK.
    7. Place the CA certificate and authentication certificate exported in steps 4 and 5 to the <Installation directory>/eSight/etc/certificate directory on the eSight server.
    8. Restart the eSight.
  • SUSE OpenLDAP server
    • Scenario 1: OpenLDAP has a certificate deployed.
      1. Obtain the certificate directory.

        Go to the OpenLDAP configuration file directory, that is, <Installation directory>/openldap/etc/openldap/.

        Open the slapd.confconfiguration file.

        The following figure shows an example of the certificate directories.

      2. Export a .p12 certificate.

        For example, run the openssl command to combine the server.crtand server.key certificate files in the directory into an identity certificate server.p12.

        # openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12

      3. Import the certificates.

        Save the identity certificate server.p12 and CA certificate ca.crt in the <Installation directory>/eSight/AppBase/etc/certificate on the eSight server.

      4. Restart the eSight.
    • Scenario 2: OpenLDAP has no certificate deployed.

      The following describes how to generate a certificate using openssl:

      1. Log in to the LDAP server as the root user.
      2. Create a folder with a random name in a random directory, and go to the directory.

        # mkdir /var/certs

        # cd /var/certs

      3. Generate a CA certificate.
        1. Generate a CA private key.

          # openssl genrsa -out ca.key 2048

        2. Use the CA private key to generate a CA certificate.

          # openssl req -new -x509 -days 36500 -key ca.key -out ca.crt

          Enter related certificate information as prompted.

      4. Create related CA directories.

        # mkdir demoCA

        # cd demoCA/

        # mkdir newcerts

        # touch index.txt

        # echo '01' > serial

      5. Generate a self-signed certificate through the CA.
        1. Generate a server private key.

          openssl genrsa -out server.key 2048

        2. Use the server private key to generate a certificate request file on the server side.

          openssl req -new -key server.key -out server.csr

          Enter related certificate request information as prompted.

        3. Use the server certificate request file to generate a self-signed certificate through the CA.

          openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

        4. Export a .p12 certificate.

          openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12

      6. Configure certificates.

        Go to the OpenLDAP configuration file directory, that is, <Installation directory>/openldap/etc/openldap/.

        In the slapd.confconfiguration file, modify the certificate directories to the certificate creation directories or move certificates to the directories in the configuration file. The following figure shows an example of the certificate directories in the configuration file.

      7. Import the certificate.

        Save the ca.crtand server.p12 certificates to the <Installation directory>/eSight/AppBase/etc/certificatedirectory on the eSight server. Alternatively, sign and issue a client certificate and an identity certificate for eSight based on the CA or server certificate.

      8. Restart the eSight.
Translation
Download
Updated: 2019-09-07

Document ID: EDOC1100011877

Views: 333871

Downloads: 667

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next