How to Enable Active Directory and LDAP Authentication

Authentication is the act of establishing that a user has sufficient security privileges to access the Portal. Active Directory is a service for Windows networks, and is included in most Windows Server operating systems. LDAP is the protocol for maintaining and accessing directory information over an IP network. As a system administrator, you can authenticate user access to the Portal with Active Directory and LDAP. The following diagram illustrates how to enable Active Directory, LDAP, and Workpoint server authentication: Follow these steps to configure for Active Directory and LDAP authentication:
cg141
Enable Active Directory and Lightweight Directory Access Protocol (LDAP) Authentication
Authentication is the act of establishing that a user has sufficient security privileges to access the 
Identity Governance
 Portal. Active Directory is a service for Windows networks, and is included in most Windows Server operating systems. LDAP is the protocol for maintaining and accessing directory information over an IP network.
As a system administrator, you can authenticate user access to the 
Identity Governance
 Portal with Active Directory and LDAP.
The following diagram illustrates how to enable Active Directory, LDAP, and Workpoint server authentication:
worddav5a8b104a473c26bccafc357d3d86a333.png
Follow these steps to configure 
Identity Governance
 for Active Directory and LDAP authentication:
Enable Active Directory Authentication
You enable Active Directory authentication by setting properties in the Portal.
Follow these steps:
 
  1. In the Portal, click Administration, Settings, Properties Settings.
    The Properties Settings window appears.
  2. Set these property files as follows:
    •  
      sage.security.disable.ADAuthentication
       
      Defines the ability to enable Active Directory authentication. Set this value to False.
       
      Default:
       True
    •  
      security.ldap.server
       
      Defines the LDAP network server name or Active Directory IP address. (example: HOSTNAME.org.com)
       
      Default:
       adserver
    •  
      (Optional) security.manager.dn
      Specifies the distinguished name (DN) of the manager. The DN is often required only when using SSL authentication. The manager is 
      AD_bind_account
       (example: administrator).
       
      Default:
       AD1\Administrator
    •  
      (Optional) security.manager.password
       
      Specifies the LDAP network administrator username. The Active Directory password is 
      AD_bind_account_password
      .
       
      Default:
       eurekify
    •  
      sage.security.credential.expiration.seconds
       
      Defines the lifetime of the credentials expiration, in seconds. Set this value to 60.
       
      Default:
       60
    •  
      sage.security.eurekify.keyStore.file
       
      Defines the keystore path directory. Set this property when using SSL and adding the AD certificate to a JVM keystore file.
       
      Default:
       none
    •  
      sage.security.eurekify.keystore.password
       
      Defines the keystore password. Set this property when using a JVM keystore file for SSL.
       
      Default:
       none
       Use separate instructions if you want to use a personal keystore (see page ) instead of the JVM keystore.
    •  
      sage.security.disable.ssl.ADAUthentication
       
      Defines whether you enable Active Directory authentication. Set this value to True to enable Active Directory authentication.
       
      Default:
       True
    •  
      sage.default.domain
       
      Defines the 
      Active_Directory_domain
      .
       
      Default:
       none
      • You must have a Login ID filed in the database with the domain name (example: 
        domain
        \jsmith where 
        domain
         is the domain name and jsmith is the login ID)
      • When logging in, the user must provide the Login ID (example: 
        domain
        \jsmith). If the Active Directory domain is set as the sage.default.domain property, then domain is not required, only the Login ID (jsmith).
(Optional) Configure Active Directory with SSL Using a Personal Keystore
You configure Active Directory with SSL using a personal keystore.
Follow these steps:
 
  1. Download and install openSSL 1.0.1e from the Openssl website.
  2. Open a command prompt and enter the following command:
    openssl s_client -connect 
    AD_server
    :636
     
    AD_server
     is the Active Directory server address.
    For example: openssl s_client -connect my_ad_server.ca.com:636.
  3. Copy the output (inclusive) to a certificate TXT file:
    ----BEGIN CERTIFICATE---
    to
    --END CERTIFICATE--- 
  4. Verify the certificate by running the following command:
    keytool -printcert -file 
    cert.txt
     
  5. Locate the JBoss server.keystore file under the following directory:
    eurekify-jboss/server/eurekify/conf 
  6. Add the certificate to the keystore with the following command:
    "%JAVA_HOME%\bin\keytool" -import -file 
    cert.txt
     -keystore server.keystore -storepass 123456  
  7. Set the following properties in the server:
    •  
      sage.security.eurekify.keyStore.file
       
      Defines the keystore file path.
       
      Default:
       none
    •  
      sage.security.eurekify.keyStore.password
       
      Defines the server keystore password.
       
      Default:
       none
 (Windows) Alternatively, you can also set Java Virtual Machine (JVM) properties (located in the eurekify.bat file):
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=changeit set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore="eurekify-jboss/server/eurekify/conf/keystore.txt"
You have configured Active Directory with SSL using a personal keystore. 
Enable LDAP Authentication
When you enable LDAP authentication, the system authenticates users logging in to the Portal using the system LDAP server.
Follow these steps:
 
  1. In the Portal, click Administration, Settings, Properties Settings.
    The Properties Settings window appears.
  2. Set the following property files as follows:
    •  
      sage.security.disable.ADAuthentication
       
      Defines whether you enable Active Directory authentication. Set this value to False.
       
      Default:
       True
    •  
      security.authentication.ldap.server
       
      Defines the LDAP server host name.
       
      Default:
       none
    •  
      security.authentication.ldap.manager.dn
       
      Defines the LDAP administrator name.
       
      Default:
       noneFollow these steps:
    •  
      security.authentication.ldap.manager.password
       
      Defines the LDAP administrator password.
       
      Default:
       none
    •  
      security.authentication.ldap.rootContext
       
      Defines the name of the LDAP root context.
       Provide this value if the customer has a unique Active Directory layout, or to ensure that the user search views the sub tree level only.
       
      Default:
       none
    •  
      security.authentication.ldap.disable.ssl
      Defines whether you enable SSL for CA Directory.
       
      Default:
       none
    •  
      security.authentication.ldap.lookupAttribute
      Defines the LDAP attribute that uniquely identifies a user.
       This attribute corresponds to the PersonID attribute, which is a 
      Identity Governance
       unique identifier.
       
      Default:
       uid
    •  
      security.authentication.ldap.disable
      Defines if LDAP authentication is disabled. Set this value to False to disable LDAP authentication.
       
      Default:
       True
You have enabled LDAP authentication.
Enable 
Identity Manager
 Authentication
When you enable 
Identity Manager
 authentication, the system authenticates users logging in to the Portal using 
Identity Manager
. For more information about 
Identity Manager
 requirements, see the 
 
Identity Manager
 Installation Guide
.
Follow these steps:
 
  1. In the Portal, run an import from 
    Identity Manager
    .
     The authenticated user must exist in 
    Identity Governance
    .
  2. Under Administration, Settings, System Properties, set these properties as follows:
    • sage.security.disable.IMAuthentication
      Defines whether you enable 
      Identity Manager
       authorization. Set this value to False to enable 
      Identity Manager
       authorization.
      Default:
       True
    • sage.security.IMAuthentication.universe
      Defines the universe name where you imported the users. See Step 1.
      Default:
       True
    • sage.default.IMdomain
        Due to legacy issues, this property must remain blank.
       
      Default:
       none
    •  
      (Optional) sage.security.disable.ADAuthentication
      Defines whether you disable Active Directory authentication. Set this value to False.
       
      Default:
       True
  3. Restart 
    Identity Governance
    .
  4. Verify authentication by logging in to the Portal with an imported user.
  • If 
    Identity Manager
     and CA Single Sign On authentication are both enabled, authentication is accomplished through CA Single Sign On.
  • If 
    Identity Manager
     and Active Directory authentication are both enabled, authentication is accomplished through 
    Identity Manager
    . If 
    Identity Manager
     authentication, fails, then authentication moves to Active Directory
Enable Workpoint Server Authentication
You can enable Workpoint server authentication.
Follow these steps:
 
  1. See your Workpoint documentation and enable authentications on the Workpoint server side.
  2. Define the Workpoint user and password in 
    Identity Governance
     by setting these properties:
    •  
      workpoint.connection.username
      Defines the Workpoint user name.
    •  
      workpoint.connection.password
      Defines the Workpoint password.
 The "workpoint.connection.username" value can be a specific username such as "Workpoint", or a pattern such as "workpoint-user-%d". The pattern option is useful when you want each connection to the Workpoint server to use a specific username.