(SOLVED) Active Directory LDAPS for User source - LDAPS/SSL How to?

Hello,
I’ve started working on AD User sources for our role management, and we have gotten it working as expected with LDAP.
However, our organisation is requiring we use LDAPS from the start.
I’ve checked the docs (https://docs.inductiveautomation.com/display/DOC79/Active+Directory+Authentication) and the forum for more resources but I don’t find any that go into detail on what exactly I need to do to set this up.

I need to ask our AD Admins for a certificate? If Yes, what type exactly?
Then i guess i need to import this into the java keystore on each ignition server?
The error messages, even on TRACE level don’t really explain what is failing.
Any step-by-step pointers or explicit information on what to ask our admins, the type of cert, etc would be greatly appreciated. Thx
David

ok, i figured out the ssl.key default keystore
I also figured out importing our root AD certificates into this keystore

but it still fails to work.
if there are any other points i’m missing, i’d appreciate the help

What version of Ignition are you using?

Either way the ssl.key keystore isn’t the right place for your AD certificates. They need to be put into Java’s root certificate keystore.

1 Like

hello,
I’m using 8.0. So my understanding was that Ignition packages its own java JREs etc in 8.0+.
I’ve tried importing root certificates into the cacerts keystores under the lib\runtime\jre-win\bin\ folder and the C:\Program Files\Java[version]\lib\security\ folder, but no luck…

Any more info on how to do that? I just got asked today that we need to switch over to LDAPS soon.

Hi,
So from what i can tell, there isn’t a need to import certificates in any keystore for LDAPS.
You change the port from 3268 to 3269 (using global catalog) or to 636 IIRC…
And you need to specify a domain controller, you can’t just specify the domain:
eg. dc01.contoso.com instead of just contoso.com.

I need to rebuild my test server (time, oh the enemy of all…) to verify this, but from what I saw no need for certificate importing.

I’ll post more when i get around to redoing this test without a ‘polluted’ server, with all the tests I did before.

1 Like

I tried the 3269 and still having issues connecting… switch back to un-secure and all is well.

Are you on Ignition 7.9 or 8.0?

Watching this. Having the same problem on 7.9 and 8.

LDAP works fine, but switching to LDAPS and enabling SSL and authentication for users fails.

On both 7.9 and 8.0 what you probably have to do is import the AD certificate (and possibly any intermediate certificates) into Java’s cacerts keystore.

If you’re on 7.9 this is gonna be in lib/security wherever Java is installed, and probably needs to be re-imported every time you update Java.

On 8.0 you just drop it into the data/certificates/supplemental folder wherever Ignition is installed and restart Ignition (or wait, maybe?) and it should get imported into the distributed runtime’s keystore automatically.

ok cool - i’ll give it a shot. What format do the certs need to be? .cer?

The certificate should be in binary (DER-encoded) format.

Ok, this worked like a charm - thank you

I actually wrote a batch script to help get this right for me in our company, as it was multiple steps with so many things that could go wrong. As of today, this only works for Ignition 7.9.

First, if you are still using LDAP for authentication and users are currently logging in, you should stop ASAP. You are exposing their credentials in clear text (just Wireshark the traffic and you will see it).

As others have pointed out, there is not a lot of feedback for not getting LDAPS to work. Here are a few tips I can give. First, ensure you change the ports from 336 to 636 and turning on SSL. Second, the AD server may not allow anonymous connections, so entering account credentials into Ignition is important - double check that these are correct. You might ask your IT department to give you an account that doesn’t expire like most other ones. You will get error messages in the gateway logs if it’s not correct. Third, and the most difficult part, was understanding when Java was having an issue connecting securely to your AD server. This information is not logged in Ignition and not much of anywhere. You must get the domain’s Root CA added to the Java Keystore (not the Ignition keystore - this is for securing the gateway webpage and client connections), as when it connects to it, it attempts to validate the certificate and is likely not one that is added by default (and Java doesn’t trust the connection, so it disconnects without doing anything). In our company, we utilize Microsoft Active Directory Certificate Services to generate certificates for our internal servers. This step may be difficult for many companies that have their own Root CA stood up.

If you are in this case, instruct their IT group to go to the AD Certificate Services website (servername.domain/certsrv/).

  1. Select the task, Download a CA Certicate, certificate chain, or CRL
  2. Then select the most current CA certificate.
  3. Choose DER or Base 64 encoding. (NOTE: I’ve used Base 64 without a problem)
  4. Choose Download CA Certificate

You will need to get this certificate to the Gateway machine. For Ignition 7.9, you will require the use of the Java keytool to install it. In my batch script, I detect 32/64 bit as well as Java version, but the tool will be in the \bin\keytool.exe of the Java path on the system, something like C:\Program Files\Java\jre1.8.0_181 and the Java Keystore is stored in \lib\security\ as the cacerts file.

The command to add the Certificate is:

keytool.exe -importcert -noprompt -trustcacerts -alias domain -file <filepath to generated Root CA> -keystore <filepath to java keystore> -storepass <password for java keystore - default is ‘changeit’ >

3 Likes

Hi all,
Thank you so much for correcting and completing this topic. I have not been able to cleanly go through my previous steps and do trial and error to correct the procedure myself, and the information shared here is highly valuable to us.
much appreciated !

I have dropped my *.DER format certificate in the folder. I rebooted the server and am still failing to connect to the LDAPS server I am aiming at. How can I determine if this cert has been applied? Is there a keystore that I could look at? I am running Ignition 8.0.9

They should get pulled into the cacerts keystore at $IGNITION/lib/runtime/jre-mac/lib/security/cacerts (your runtime location may differ)

Hi there. Due to the plain text issue of LDAP I nee to get LDAPS working with ignition 8.0.12. Im not clear on exactly how i install the Certificate? could someone just clarify?

Just drop your certificate(s) into InstallDir\data\certificates\supplemental The GW should pick them up after a period of time or restart the GW to ensure they are imported into your keystore. Then you can activate LDAPS in your Usersource settings.

Thank you