KB_160113: How To configure Active Directory SSL Back-End Authentication in IDENTIKEY Authentication Server (IAS) on Linux5/12/2017 12:10:03 PM
When using Microsoft Active Directory with IAS for back-end authentication, the back-end server should be configured accordingly. As such, if Active Directory is configured to communicate via SSL, then IDENTIKEY Authentication Server must also be configured to use SSL with Active Directory.
Doing this involves the following steps:
1. Generating and exporting the required CA Certificate in AD.
2. Converting the CA Certificate and importing it into IAS.
Generating and exporting the CA Certificate in AD
1. Launch the Windows Certification Authority application. This is typically launched via Start > Administrative Tools > Certification Authority on most Windows servers
2. Select a certification authority, right-click it, and select Properties.
3. In the Properties window, click the View Certificate button.
4. In the Certificate window, select the Details tab and click the Copy to File button. Doing so will launch the Certificate Export Wizard
5. In the Certificate Export Wizard, click Next.
6. Select DER encoded binary (.CER) option and click Next.
Specify the path and name of the CA Certificate file and click Next.
7. Click Finish to export the certificate
Click the OK button
Convert the .cer file and import it into IAS
1. Convert the .cer file to .pem file using the command:
openssl x509 -inform DER -outform PEM -in certname.cer –out certname.pem
where certname is the name of the self-signed certificate just created.
IDENTIKEY Authentication Server ships with a specific version of the OpenSSL utility. VASCO advises that you use this version for any procedures in this book involving the openssl command. This specific version of OpenSSL is located in\bin\, whereis the installation directory of IDENTIKEY Authentication Server. This directory is typically C:\Program Files\VASCO\IDENTIKEY Authentication Server for Windows or /opt/vasco/ias by default for Linux.
2. Obtain the hash of the .pem file using the following command:
openssl x509 -noout -hash -in certname.pem
3. Record the hash output of this command, and rename the .pem file to be hashvalue.0. For example, if the hash result is 54321, rename the .pem file to 54321.0.
4. Copy the renamed .pem file to /etc/ssl/certs
Make sure to manually restart the VASCO IDENTIKEY Authentication Server service. If the service is not restarted, the certificate files will not be read!
Applies to: IDENTIKEY Authentication Server
KB 160113– 12/05/2017
© 2017 VASCO Data Security. All rights reserved.