Scribd
Upload
146 views14 pages

Connecting JBoss To LDAP Guide

Uploaded by

Andinet Endayilalu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
146 views14 pages

Connecting JBoss To LDAP Guide

Uploaded by

Andinet Endayilalu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Connecting JBoss to LDAP

Guide

1
1.0 Edition (September 2014)

Internet

Visit our home page: http://www.temenos.com

Temenos Company
2 Rue de l’Ecole-de-Chimie
CH - 1205 Geneva
Switzerland

The information presented is subject to change without notice. Temenos assumes no responsibility for
inaccuracies contained herein.

© Copyright Temenos Headquarters 2007, 2014. All rights reserved.

This product contains computer software documentation which is the property of Temenos. The
information must not be made available to, or copied or used by anyone outside Temenos without its
written authorization.

Not to be used or disclosed except in accordance with applicable agreements.

2
Table of Contents

Contents
1. About This Publication ..................................................................................................................... 4
1.1. Who should read this publication .......................................................................................... 4
1.2. Related information ............................................................................................................... 4
1.3. Audience ............................................................................................................................... 4
1.4. Special Conventions ............................................................................................................. 4
1.5. Summary of Changes ........................................................................................................... 5
2. Connecting FCM JBoss to LDAP/Active directory ........................................................................... 6
3. Secure the LDAP connection with SSL ......................................................................................... 10
4. Troubleshooting Problems with LDAP Authentication ................................................................... 14

3
1. About This Publication
This publication describes how to complete a connection of FCM JBoss to LDAP.

1.1. Who should read this publication

This publication contains information for the person who will install the FCM. Before you perform any
of the steps documented in this publication, you must understand the general features and
requirements of FCM.

1.2. Related information

For information about Temenos products, see: Temenos Company Web site
(http://www.temenos.com)

For information about related products, see:

- Alert Manager User’s Guide


- Profiling User’s Guide
- Rule Manager User’s Guide
- Reports User’s Guide,
- Security User’s Guide
- CEDD User’s Guide
- Watch List Manager User’s Guide
- Web Inquiry User’s Guide
- Rule Editor User’s Guide

1.3. Audience

This guide is intended for engineers responsible for installation and day-to-day maintenance of the
application.

1.4. Special Conventions

Conventions used in this guide:

Convention Meaning
Bold - Object of an action: menu names, field names, options, button names
- Commands typed at a prompt
- User input
Italic - Names of books, chapters and sections as references
- Emphasis
Monospace - Directories and subdirectories
- File names and extensions
- Process names
- Code sample, including keywords and variables within text and as separate paragraphs, and
user-defined program elements within text
<Variable> - Substitute input value

4
1.5. Summary of Changes

This publication contains additions and changes to information previously presented in Connecting
JBoss to LDAP Guide.

General changes -
New information -
Changed information -
Deleted information -

5
2. Connecting FCM JBoss to LDAP/Active directory

This section describes how to connect the FCM JBoss to LDAP.


To connect the FCM JBoss to LDAP:

1. Open the Active Directory Domain Controller.

Note: The Active Directory Domain Controller acts as the LDAP server.

2. Add an Organizational Unit for FCM (AML-OU), where users are configured.

3. In AML-OU:

a. For JBoss 4.x / 5.x add five security groups with the same names as
roles.properties (found under server\temenos\conf folder):

b. For JBoss AS 7.x (EAP 6.x) add five security groups with the same names as
application-roles.properties (standalone/configuration folder):

4. Create a user to bind to LDAP/Active directory:

5. Assign users to groups/roles in the same way as roles.properties:

6
6. Comment the default JBoss authentication as follow:

a. For JBoss 4.x / 5.x go to \temenos\conf\login-config.xml, and comment the


method under <application-policy name = "other"> :

b. For JBoss AS 7.x (EAP 6.x) go to standalone\configuration\standalone.xml,


and comment the method under <security-domain name="other">:

7. Add the following authentication method in the same location:

a. For JBoss 4.x / 5.x:

7
b. For JBoss AS 7.x (EAP 6.x):

Adjust:
- ldap://dc.domain.com:389 to LDAP server
- CN=aml-admin, OU=AML-OU,OU=User-OU,DC=domain, DC=com to the user
that binds to LDAP
- binduserpassword to the bind user password;
- OU=User-OU,DC=domain,DC=com to the root OU for users;
- OU=AML-OU,OU=User-OU,DC=domain,DC=com to the FCM security roles OU.
NOTE: The above configuration is valid to authenticate only for users belonging to a
single domain. To sign in users across domains, within an Active Directory Forest, you
need to connect using LDAP to a Global Catalog server on TCP/IP port 3268. Replace
the connection string with the hostname or IP address of a domain controller that is
configured as a Global Catalog server:

8. The user names from FCM Security module, need to match the AD/LDAP usernames without
domain prefix or suffix.

8
9. Restart the JBoss, then test the authentication with a valid LDAP user that is assigned to
FCM roles and configured in FCM security module.

9
3. Secure the LDAP connection with SSL
This section describes how to secure the LDAP connection with SSL.
To assure the LDAP connection with SSL:

1. Follow all the previous steps required to authenticate the JBoss on LDAP without SSL.

2. Modify the LDAP authentication method:

a. For JBoss 4.x / 5.x, in temenos\conf\login-config.xml using the SSL protocol


and connect to the LDAP server with LDAPs on port 636:

NOTE: This is valid for a single domain. For cross-domain authentication within an
Active Directory Forest, you need to connect using secure LDAP to a Global Catalog
server on TCP/IP port 3269. Modify the connection string as follows with the hostname
or IP address of the Global Catalog server:

b. For JBoss AS 7.x (EAP 6.x), in standalone\configuration\standalone.xml using


the SSL protocol and connect to the LDAP server with LDAPs on port 636

10
3. Export the client authentication certificate installed on the LDAP server.

Note: On Active Directory Domain Controller this can be done by accessing the Local
Computer Personal Certificates console.

If there is no certificate available to export, then obtain a new certificate for the LDAP server.
In Active Directory Domain, ask for certificate request using the Domain Controller
Template.

4. Export the LDAP Server certificate in DER X.509 format without the private key.

5. If the certificate that is used by the LDAP Server is not signed by a trusted CA, then:

- Import the certificate in the JDK cacerts file;


Or
- Add the certificate to the truststore in JBoss.
Note: This method is preferred because the certificate applies directly on the JBoss
configuration. Using the keytool utility provided in a Linux box, import the certificate file
obtained in the domain controller, by typing the following command:

11
To subsequently open the keystore, you need to assign a selected password. Verify that the
keystore contains the key and that the password is accepted:

6. Drop the resulting ldap.truststore file on the FCM JBoss server:

a. For JBoss 4.x / 5.x, under \server\temenos\conf. Change the JBoss settings, to
use the alternative keystore in \server\temenos\deploy\properties-
service.xml:

b. For JBoss AS 7.x (EAP 6.x), under standalone\configuration. Change the JBoss
settings, to use the alternative keystore in \configuration\standalone.xml:

7. Restart the JBoss, then test the authentication with a valid LDAP user that is assigned to FCM
roles and configured in FCM Security module.

12
13
4. Troubleshooting Problems with LDAP Authentication

1. To enable the full TRACE logging for JBoss Security and JBoss Authentication
Negotiation, add the following statements:

a. For JBoss 4.x / 5.x, on server/temenos/conf/jboss-log4j.xml:

b. For J JBoss AS 7.x (EAP 6.x), on \configuration\standalone.xml:

2. To enable detailed logging of the SSL handshake for LDAPs, add the following system
property on \configuration\standalone.xml:

14

You might also like