The purpose of this blog post is not to explain the steps on how to configure AD as primary user store. Above information is covered from
WSO2 Documentation. My intention is to give some guide on how to configure AD LDS instance to work over SSL and how to export/import certificates to the trust store of WSO2 servers.
To achieve this, we need to
- Install AD on Windows 2012 R2
- Install AD LDS role in Server 2012 R2
- Create an AD LDS instance
- Install Active Directory Certificate Service in the Domain Controller (Since we need to get AD LDS instance work over SSL)
- Export certificate used by Domain Controller.
- Import the certificate to client-truststore.jks in WSO2 servers.
Also this information is already covered from following two great blog posts by Suresh. So my post will be an updated version of them and will fill some gaps and link some missing bits and pieces.
1. Assume you have only installed Windows 2012 R2 and now you need to install AD too. Following article clearly explains all the steps required.
Note : As mentioned in the article itself, it is written assuming that there's no existing Active Directory Forrest. If you need to configure the server to act as the Domain Controller for an existing Forrest, then following article will be useful
2) Now you've installed Active Directory Domain Service and the next step is to install AD LDS role.
- Start - > Open Server Manager -> Dashboard and Add roles and feature
- In the popup wizard, Installation type -> select Role-based or feature based option and click the Next button.
- In the Server Selection, select current server which is selected by default. Then click Next.
- Select AD LDS (Active Directory Lightweight Directory Service ) check box in Server Roles and click Next.
- Next you'll be taken through wizard and it will include AD LDS related information. Review that information and click Next.
- Now you'll be prompted to select optional feature. Review it and select the optional features you need (if any) and click next.
- Review installation details and click Install.
- After successful AD LDS installation you'll get a confirmation message.
3. Now let's create an AD LDS instance.
- Start -> Open Administrative Tools. Click Active Directory Lightweight Directory Service Setup Wizard.
- You'll be directed to Welcome to the Active Directory Lightweight Directory Services Setup Wizard. Click Next.
- Then you'll be taken to Setup Options page. From this step onwards, configuration is same as mentioned in
4. As explained in above blog, if you pick Administrative account for the service account selection, then you won't have to specifically create certificates and assign them to AD LDS instance. Instead the default certificates used by the Domain Controller can be accessed by AD LDS instance.
To achieve this, let's install certificate authority on Windows 2012 server (if it's not already installed). Again I'm not going to explain it in details because following article covers all required information
5. Now let's export the certificate used by Domain controller
- Go to MMC (Start -> Administrative tools -> run -> MMC)
- File -> Add or Remove Snap-ins
- Select certificates snap-in and click add.
-Select computer account radio button and click Next.
- Select Local computer and click Finish.
Now restart the Windows server.
- In MMC, click on Certificates (Local Computer) -> Personal -> Certificates.
- There you'll find bunch of certificates.
- Locate root CA certificate, right click on it -> All Tasks and select Export.
Note : The intended purpose of this certificate is all. (Not purely for server authentication.) It's possible to create a certificate for server authentication and use it for LDAPS authentication. [1] and [2] explains how it can be achieved.
For the moment I'm using the default certificate for LDAPS authentication.
- In the Export wizard, select Do not export private key option and click Next.
- Select DER encoded binary X.509 (.cer) format and provide a location to store the certificate.
6. Import the certificate to trust store in WSO2 Server.
Use following command to import the certificate to client-truststore.jks found inside CARBON_HOME/repository/resource/security.
keytool -import -alias adcacert -file/cert_home/cert_name.cer -keystore CARBON_HOME/repository/resource/security/client-trustsotre.jks -storepass wso2carbon
After this, configuring user-mgt.xml and tenant-mgt.xml is same as explained in
WSO2 Documentation.