Support Center > Search Results > SecureKnowledge Details
How to configure Endpoint Security Server to connect to Domain Controller (DC) via LDAPS Technical Level
Solution

There are situations in which it is desired to configure the Endpoint Security Server to connect to a Domain Controller (DC) via LDAPS.

Proceed as follows:

(1) Find index of SSL certificate

  1. On a DC that is configured to support LDAPS, export a list of imported certificates:

    CertUtil -store -v MY

    The output of this command is a list of certificates, separated by a row, as shown below "==Certificate 0==", where 0 is index of certificate.

    Notes:

    • You can redirect output of this command to a file (e.g., CertUtil -store -v MY > C:\certificates.txt).

    • You can use Certificate Manager Tool to export the certificate(s).
  2. In the export list of certificates, find the certificate:

    • with subject that is DC FQDN (in our example below, it is "DC.mulberry.com")
    • in which one of certificate extensions is OID 1.3.6.1.5.5.7.3.1 (Server Authentication)
    • in which issuer is CA name (in our example below, it is "ext")
  3. Get the certificate's index - this is a number, which appears in the separation header before each certificate (in the following fragment it is == Certificate 0 ==).

    Example:

    ================ Certificate 0 ================
    
    X509 Certificate:
    
    Version: 3
    
    Serial Number: 1b9b02cb00000000000c
    
    Signature Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
        Algorithm Parameters: 05 00
    
    Issuer:
        CN=ext
    
     NotBefore: 19/07/2012 15:45
     NotAfter: 19/07/2013 15:55
    
    Subject:
        CN=DC.mulberry.com
    ..... 
    
    Certificate Extensions: 7
        2.5.29.15: Flags = 1(Critical), Length = 4
        Key Usage
            Digital Signature, Key Encipherment (a0)
        2.5.29.37: Flags = 0, Length = c
        Enhanced Key Usage
            Server Authentication (1.3.6.1.5.5.7.3.1)
     ......
    

 

(2) Save certificate to a file

CertUtil -store MY <certificate_index> <path_to>\<file_name>

Example:

CertUtil -store MY 0 C:\ServerCert.cer

 

(3) Import certificate to the keystore of Endpoint Security Server

  1. Copy the certificate file to the Endpoint Security Server.

  2. Go to the "jre" directory:

    • On Windows OS: %UEPMDIR%\engine\jre
    • On Gaia OS: $UEPMDIR/engine/jre
      Note: On R80.x server - $CPDIR/jre_32 or $CPDIR/jre_64 
  3. Import the certificate to the keystore:

    • On Windows OS:

      .\bin\keytool -import -keystore .\lib\security\cacerts -file <file_name> -alias <alias>

      Example:

      .\bin\keytool -import -keystore .\lib\security\cacerts -file C:\ServerCert.cer -alias SSLCert

    • On Gaia OS:

      ./bin/keytool -import -keystore ./lib/security/cacerts -file <file_name> -alias <alias>

      Example:

      ./bin/keytool -import -keystore ./lib/security/cacerts -file /home/admin/ServerCert.cer -alias SSLCert

    You will be prompted to enter a password.
    The default password is "changeit".

    At the end of the import, you will be asked "Trust this certificate?[no]" - confirm by entering y to complete the process.

    Output should be "Certificate was added to the keystore".

  4. Restart the Endpoint Security Server:

    uepm_stop

    uepm_start

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment