To connect DualShield to Active Directory via LDAP over SSL (LDAPS), you must tell your DualShield server to trust your AD server. In other words, you must import the CA certificate that was used to sign the server certificate of your AD server into the keystore of your DualShield server as a trusted root certificate.

Configure Active Directory Authentication with LDAP over SSL

First of all, make sure that your AD server is fully configured to accept SSL connection. To verify that your AD server is enabled with LDAPS connection, you can run a Microsoft support tool LDP.EXE on your AD server. You should see the following output:

      

If your AD server is not yet configured to accept SSL connection, then you must first enable the SSL connection. The article below has detailed instructions:

Configure Active Directory Authentication with LDAP over SSL

It might also be useful to read the following Microsoft Articles:

Export CA Certificate from the AD Server

Once your AD server is configured to accept LDAPS connection, you need to export the CA certificate from your AD server.

The CA used to sign the LDAPS certificate is not necessary to be the one of your Certification Authority, so the safe way to locate the CA is to follow the steps below:

Normally it has "DomainController" as its Certificate Template Name.

The Active Directory fully qualified domain name of the domain controller (for example, povm2k3svr.parkoffice.com) must appear in one of the following places:

In our example, the CA to sign the LDAPS certificate is the highlighted one "ca".

To export the CA certificate:

Import CA Certificate into DualShield

Next, you need to import the CA certificate into your DualShield's keystore. DualShield's keystore is a JAVA keystore and there is a tool included in the DualShield that can be used to import certificates. Follow the steps below:

  1. navigate to "tools" folder in your DualShield directory, e.g. C:\Program Files\Deepnet DualShield\tools
  2. unzip "portecle.zip"
  3. navigate to the Portecle folder, e.g. C:\Program Files\Deepnet DualShield\tools\portecle-1.7\portecle-1.7
  4. open Windows CMD console
  5. execute "portecle.jar", e.g. ..\..\..\jre\bin\java -jar portecle.jar

      

you should now see the Portecle's user interface:

      

  1. Select "File | Open CA Certs Keystore"
  2. Enter the default password: "changeit"
  3. Select "Tools | Import Trusted Certificate" and import your CA certificate

Please note that if you can double click the file portecle.jar to run this utility, then it is very likely that you have another JRE installed on this machine that is NOT the one used in DualShield. In that case, please choose the menu "Open Keystore File..." instead, then locate the file "cacerts" under DualShield installation folder.

Alternatively, you can import a root or intermediate CA certificate to an existing Java keystore with following command

     C:\Program Files\Deepnet DualShield\jre\bin\keytool -import -trustcacerts -alias root -file yourca.crt -keystore C:\Program Files\Deepnet       DualShield\jre\lib\security\cacerts

Once you have successfully import your AD's CA certificate into your DualShield's keystore, restart the DualShield server.

Finally, in DualShield,  modify the LDAP connection of your Identity Source that's connected to your AD server.