Configuring LDAP Authentication

The identity provider (IDP) user and password has governance over the platform; therefore, the user must exist in both systems, but the password is validated only in LDAP. This section details LDAP authentication steps when TLS is enabled and disabled.

To use LDAP authentication when TLS is disabled:

  1. Create at least one LDAP user to log in into the platform using LDAP authentication.
  2. Log in to the CDF server and navigate to the SSO default configuration folder at:
    3. <arcsight_nfs_vol_path>/sso/default

    where <arcsight_nfs_vol_path> is the NFS volume used for CDF installation; for example: /opt/NFS_volume/arcsight-volume.

  1. Open the SSO configuration file (sso-configuration.properties), and review the LDAP parameters.
    2. ##### The following LDAP confgs are not utilized at this time
# com.microfocus.sso.default.ldap.enabled = true
# com.microfocus.sso.default.login.method = np-ldap
# com.microfocus.sso.default.ldap.admin-dn = CN=bind_user,cn=Users,dc=ospad,dc=test
# com.microfocus.sso.default.ldap.admin-pwd = password
# com.microfocus.sso.default.ldap.host = xxx.xx.xx.xx
# com.microfocus.sso.default.ldap.use-tls = false
# com.microfocus.sso.default.ldap.port = 389
#---- uncomment these if the LDAP server is Active Directory rather than eDirectory
# com.microfocus.sso.default.ldap.dir-type = AD
# com.microfocus.sso.default.as.naming-attr = sAMAccountName
# com.microfocus.sso.default.as.users-container-dn = cn=Users,dc=ospad,dc=test
## uncomment these to configure URL when LDAP user forgets password
# com.microfocus.sso.default.ldap.forgotten-pwd-url =
# com.microfocus.sso.default.ldap.login.forgotten-password-target = _blank
# com.microfocus.sso.default.ldap.login.forgotten-password-text-res-id =
# com.microfocus.sso.default.ldap.login.forgotten-password-title-res-id =
  2. Update the SSO configuration file (sso-configuration.properties) for your LDAP log in method by uncommenting (removing the #) of these lines in the sso-configuration.properties file, and completing the information for your LDAP environment.
    3. com.microfocus.sso.default.ldap.enabled = true
com.microfocus.sso.default.login.method = np-ldap
com.microfocus.sso.default.ldap.admin-dn = provide your LDAP User DN here
com.microfocus.sso.default.ldap.admin-pwd = provide your LDAP Admin password here
com.microfocus.sso.default.ldap.host = provide your LDAP host here
com.microfocus.sso.default.ldap.use-tls = true (this corresponds to your LDAP TLS setting, true or false. However, a "false" value will fail to enable a TLS LDAP connection)
com.microfocus.sso.default.ldap.port = 636 (your LDAPS Environment port may differ - change accordingly)
  3. For Active Directory rather than eDirectory:
    1. Update the SSO configuration file (sso-configuration.properties) to enable AD by uncommenting these lines in the sso-configuration.properties file, and completing the information for your LDAP environment.
      2. com.microfocus.sso.default.ldap.dir-type = AD
com.microfocus.sso.default.as.naming-attr = provide your AD attribute here
com.microfocus.sso.default.as.users-container-dn = provide your LDAP Base DN here
    1. Save the SSO configuration file (sso-configuration.properties).
To configure the system to require users to login with an email address (recommended), set com.microfocus.sso.default.as.naming-attr to 'mail'. Otherwise, to require users to login with their Active Directory username, set com.microfocus.sso.default.as.naming-attr to 'sAMAccountName'.
  1. For URL configuration when an LDAP user forgets the password:
    1. Update the SSO configuration file (sso-configuration.properties) to enable forgot password for the LDAP user by uncommenting these lines in the sso-configuration.properties file, and completing the information for your LDAP environment.
      2. com.microfocus.sso.default.ldap.forgotten-pwd-url = provide your LDAP url for forgotten password here
com.microfocus.sso.default.ldap.login.forgotten-password-target = provide the target here
com.microfocus.sso.default.ldap.login.forgotten-password-text-res-id = provide the text to be shown here
com.microfocus.sso.default.ldap.login.forgotten-password-title-res-id = provide the title to be shown here
    2. Save the SSO configuration file (sso-configuration.properties).
  2. Restart the fusion-single-sign-on pod.
    1. Get the fusion-single-sign-on pod information:
      2. kubectl get pods --all-namespaces | grep single-sign
    2. Restart the fusion-single-sign-on by deleting the currently running pod:
      3. kubectl delete pod fusion-single-sign-on-xxxxxxxxxx-xxxxx -n arcsight-installer-xxxxx
  3. Log in using your LDAP credentials.

To use LDAP authentication when TLS is Enabled:

  1. Create at least one LDAP user to log in into the platform using LDAP authentication.
  2. Log in to the CDF server and navigate to the SSO default configuration folder at:
    3. <arcsight_nfs_vol_path>/sso/default

    where <arcsight_nfs_vol_path> is the NFS volume used for CDF installation; for example: /opt/NFS_volume/arcsight-volume.

  3. Open the SSO configuration file (sso-configuration.properties), and review the LDAP parameters.
    4. ##### The following LDAP confgs are not utilized at this time
# com.microfocus.sso.default.ldap.enabled = true
# com.microfocus.sso.default.login.method = np-ldap
# com.microfocus.sso.default.ldap.admin-dn = CN=bind_user,cn=Users,dc=ospad,dc=test
# com.microfocus.sso.default.ldap.admin-pwd = password
# com.microfocus.sso.default.ldap.host = xxx.xx.xx.xx
# com.microfocus.sso.default.ldap.use-tls = true
# com.microfocus.sso.default.ldap.port = 636
#---- uncomment these if the LDAP server is Active Directory rather than eDirectory
# com.microfocus.sso.default.ldap.dir-type = AD
# com.microfocus.sso.default.as.naming-attr = mail
# com.microfocus.sso.default.as.users-container-dn = cn=Users,dc=ospad,dc=test
## uncomment these to configure URL when LDAP user forgets password
  4. Update the SSO configuration file (sso-configuration.properties) for your LDAP log in method by uncommenting (remove the #) these lines in the sso-configuration.properties file, and completing the information for your LDAP environment.
    5. com.microfocus.sso.default.ldap.enabled = true
com.microfocus.sso.default.login.method = np-ldap
com.microfocus.sso.default.ldap.admin-dn = provide your LDAP User DN here
com.microfocus.sso.default.ldap.admin-pwd = provide your LDAP Admin password here
com.microfocus.sso.default.ldap.host = provide your LDAP host here
com.microfocus.sso.default.ldap.use-tls = true provide your LDAP TLS setting here (true/false)
com.microfocus.sso.default.ldap.port = 636 provide your LDAP port here

  5. Create and copy the PEM formatted CA LDAP server certificate into the Fusion single-sign-on pod: 

    kubectl cp /opt/ldapCA.cer arcsight-installer-xxxx/fusion-single-sign-on-xxxxxxx-xxxx:/tmp -c fusion-single-sign-on

  1. Log in to the into the Fusion-single-sign-on pod:

    kubectl exec -it fusion-single-sign-on-xxxxxxx-xxxx -n arcsight-installer-xxxx -c fusion-single-sign-on -- sh

  2. Navigate to the Fusion truststore directory: 

    cd /usr/local/tomcat/conf/default/

  3. Install the PEM formatted CA LDAP server certificate into the Fusion single-sign-on truststore:

    keytool -importcert -storepass $KEYSTORE_PASSWORD -destkeystore sso.bcfks -alias ldapCA -file /tmp/okta.cert -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /usr/local/openjdk-8/jre/lib/ext/bc-fips-1.0.2.1.jar

  4. Verify the list of certificates in the fusion-single-sign-on trustore:

    keytool -list -v -alias ldapCA -keystore sso.bcfks -storepass $KEYSTORE_PASSWORD

  5. Close the Terminal session to the pod:

    exit

  6. Restart the Fusion single-sign-on pod:

    kubectl delete pod -n arcsight-installer-xxxx fusion-single-sign-on-xxxxxxx-xxxx