02-11-2011 01:16 PM
My security folks are "requiring" me to implement LDAP over SSL (LDAPS) on my Brocade SAN.
We are currently using regular LDAP for authentication.
At a high level, my intentions were to:
1. Obtain an LDAP certificate
2. Run the command: secCertUtil import -ldapcacert
3. Run the command: aaaconfig --change my.ldapserver.com -conf ldap -p 3269 -d mydomain.com
4. Login using LDAPS :-)
Am I (way) off base or did I miss anything?
02-14-2011 11:51 AM
you are right with your steps.
Have an eye while creating the CSR file. You have to enter information like Country and State and some other company information.
These entries should request from your security department or the person who creates the certificates. If this does not match together you will get problems.
This was my own experience and had some difficulties during implementing certificates.
I hope this helps.
01-24-2012 03:25 AM
I have managed to get user authentication working using AD as the LDAP source, and the FOS 7.x Administration Guide is better (though still nowhere near good enough) in describing the steps you need to follow to get it to work.
Unfortunately I have not been able to get it to work with LDAPS, even though I have imported the Root, plus the subordinate Ash Forest and AD Server certificates to the SAN switch. It seems that these are not enough to allow the switch to authenticate over SSL.
From studying the Admin Guide, it would appear that I need to generate a public and private key, and a certificate signing request (CSR), on each switch, and for those to be transferred to the Certificate Authority (CA) so a specific switch certificate could be created. This certificate would then be transferred back to each switch and installed there. Unfortunately for me, the customer doesn't allow self-signed certification, and has only provided us with the above certificates, which they maintain are enough. We have be able to use LDAPS with other equipment (HP Servers) successfully in this manner, so we know that it is possible.
Can anyone shed any light on how to troubleshoot LDAPS authentication issues with Brocade SAN switches?
Do I really need to generate the keys on each switch, or can I simply export the imported LDAP certificate, back to the CA server (Windows in this case)?