So I can use a certificate or Secure LDAP? I am guessing if I use a certificate, I will need to install it on the LDAP server as well as the ACS appliance? I will read up a little more on the Secure LDAP. I hope that will be the answer.

THank you,

Dwane

Dwane,

Cert7.db needs to be created for a LDAP database using Netscape Navigator, for that you need to contact your LDAP Administrator.

Here's a documentation link, which says how to get SSL connection between ACS and LDAP, and we need to get cert7.db by installing Netscape:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09

186a0080092566.shtml

NOTE: Preferred way to generate cert7.db is to use Netscape browser as, it is only tested way.

Please note that the certificate DB path is required. To install a Cert7.db

file with the correct certificates the following is required.

We need to use Netscape 4.x (up to 4.8) for creating cert7.db. More recent

versions may be not compatible.

1. Setup the LDAP with a certificate.

2. Install Netscape 4.x (this creates the cert7.db file, which is just a

database of certs)

3. Browse to https://servername:Ldap-port with the Netscape browser.

4. Install the certificate selecting the option "accept this certificate

forever.

5. Copy the cert7.db file to another directory (like the ACS folder).

The default location of the cert7.db file is C:\Program

Files\Netscape\Users\default

6. Now just enter the path to the cert7.db file in the "Certificate DB Path" field in t he configuration for your LDAP DB in ACS.

TIP: cert7.db from OpenSSL etc will not work

Regards,

~JG

Hi Dwane,

In addition to JG update you may refer:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080092566.shtml#wp327699

You might need to reboot your ACS server after installing cert7.db (observed in some cases)

HTH

Regards,

JK

Will this cert need to be loaded on both the ACS and AD servers?

Only on ACS.

HTH

Regards,

JK

Hi.

Question: What LDAP server do we have here?

ACS only supports server-side authentication for SSL communication with LDAP server.

On ACS server you only need Root CA certificate. The CA who issued certificate to LDAP server for SSL communication. This is easy to determine, you only need to look up "Issued By" filed on the certificate.

Other then that. Password is secure between client and the ACS server (Radius/Tacacs+). With SSL between ACS and LDAP its secure at the backend too

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp399155

"Security-ACS uses SSL to encrypt communication between ACS and the LDAP server. If you do not enable SSL, user credentials are passed to the LDAP server in clear text. If you select this option, then you must select Trusted Root CA or Certificate Database Path. ACS supports only server-side authentication for SSL communication with the LDAP server. Solution Engine only: You must be sure that the Port box contains the port number used for SSL on the LDAP server."

HTH

Prem

Prem, JG and others,

Thank you for your inputs. Now I am confused. As I set up the cert on the ACS server, I use our root CA server. How do I tell if it is good or not? I also have configured the ACS LDAP External Database configuration to use TCP port 3269 and have checked to use the CA server. Do I need to set anything else up? I am pretty sure I do since this config does not work. However, when I set it back to not be secure and use port 3268, it works like a champ, but passwords are sent int eh clear.

Thanks

Dwane