Enabling LDAPS on Primis

Owned by Vinodhraj DP
Last updated: Jul 20, 2023
3 min read

Perform the following steps if the Active Directory server has its own CA certificate

  1. Copy the CA certificate from the Active Directory server to the Primis server.

  2. Import the CA certificate into the Java keystore by entering the command

    keytool -keystore /var/opt/viscount/etc/freedom_truststore.jks -importcert -alias domain.com
    -file <CA certificate of the Active Directory server>

  3. Edit /var/opt/viscount/etc/env file and find the line specifying ENGINE_DAEMON_OPTS and add the following options at the beginning

    -Djavax.net.ssl.trustStore=/var/opt/viscount/etc/freedom_truststore.jks - Djavax.net.ssl.trustStorePassword=keystore_password

    After the change, the line should look like the following:
    ENGINE_DAEMON_OPTS="-
    Djavax.net.ssl.trustStore=/var/opt/viscount/etc/freedom_truststore.jks - Djavax.net.ssl.trustStorePassword=keystore_password ${ENGINE_DEBUG} …

  4.  Restart PRIMIS by entering the command

    systemctl restart engine tomcat

  5. Login to Primis Web application, select System -> Active Directory, and edit the LDAP connection. Update the Server URL to use ldaps by changing the lap protocol to “ldaps” and append the port “:636” to the URL. e.g.

    ldaps://<AD domain>:636

  6. Test PRIMIS to Active Directory Connection by clicking the “Test Connection” button.

Perform the following steps if you want to install a self-signed CA certificate on the Active Directory server

  1. Login to the Primis server and change your current working directory by entering the command

    cd /var/opt/viscount/etc

  2. Generate a private key that will be used to sign the root certificate by entering the command

    openssl genrsa -des3 -out rootCA.key 2048

    and then enter a password

  3. Create the root certificate, and sign with the newly created private key by entering the command

    openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt

    and then enter the information prompts that follow.

  4. Copy the root certificate “rootCA.crt” to the domain controller and import it using the MMC console to the computer account Trusted Root Certification Authorities folder

  5. On the domain controller, generate a certificate signing request (CSR) by creating a .inf file. Once the file is created, generate the csr by entering the following command

    certreq -new device_request.inf device.csr

    An example .inf file is as follows. Be sure to enter unique values in the “subject” line (same prompted questions)

    ;--------------------- request.inf ---------------------
     [Version]
    Signature="$Windows NT$"
    [NewRequest]
    Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US"
    ;
    KeySpec = 1
    KeyLength = 1024
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10 KeyUsage = 0xa0
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

  6. Copy the CSR back to the PRIMIS server, and sign this CSR with the root certificate, thus creating the signed device certificate. Do this by entering the following command

    openssl x509 -req -days 3650 -in device.csr -CA rootCA.crt -CAkey rootCA.key -set_serial 01 -out device.crt

  7. Copy the device certificate to the domain controller, and import it using the MMC console into the computer account personal folder.

  8. Restart the domain controller.

  9.  Import the previously created root certificate into the Java keystore by entering the command

    keytool -keystore /var/opt/viscount/etc/freedom_truststore.jks -importcert -alias domain.com
    -file /var/opt/viscount/etc/rootCA.crt

  10. Edit /var/opt/viscount/etc/env file and find the line specifying ENGINE_DAEMON_OPTS and add the following options at the beginning

    -Djavax.net.ssl.trustStore=/var/opt/viscount/etc/freedom_truststore.jks - Djavax.net.ssl.trustStorePassword=keystore_password

    After the change, the line should look like the following: ENGINE_DAEMON_OPTS="-

    Djavax.net.ssl.trustStore=/var/opt/viscount/etc/freedom_truststore.jks - Djavax.net.ssl.trustStorePassword=keystore_password ${ENGINE_DEBUG} …

  11. Restart PRIMIS by entering the command

    systemctl restart engine tomcat

  12. Login to Primis Web application, select System -> Active Directory, and edit the LDAP connection. Update the Server URL to use ldaps by changing the lap protocol to “ldaps” and append the port “:636” to the URL. e.g.

    ldaps://<AD domain>:636

  13. Test PRIMIS to Active Directory Connection by clicking the “Test Connection” button.

Related pages

Configuring AMS Log Collection for SSL
Configuring AMS Log Collection for SSL
Primis
Read with this
Deploying Primis as a Virtual Image via OVA (VMWare 6.5)
Deploying Primis as a Virtual Image via OVA (VMWare 6.5)
Primis
Read with this
IDENTIV EG-2 (Model FR-50-40-SB)
IDENTIV EG-2 (Model FR-50-40-SB)
Primis
Read with this
Single Port (FB1) PRIMIS BRIDGE Installation Guide
Single Port (FB1) PRIMIS BRIDGE Installation Guide
Primis
Read with this
Primis Solution Guide
Primis Solution Guide
Primis
Read with this
API User Guide
API User Guide
Primis
Read with this