none
Using Ldaps (ldap over ssl) with RSA SecurID

    Question

  • Hello everyone, I have integrated my RSA SecurID server with AD just fine using LDAP.  The issue is i need to make sure everything is secure and move it to LDAPs.  I have the entire LDAPS infrastructure setup with a CA and know its working as i have other systems on it.  The issue is that RSA SecurID requires the certificate to be imported as they wont do a first time trust or trust an unknown certificate. The question i have is which certificate do i need to provide the server?  which certificate in my CA do i export so LDAPS works properly?

    Thank you,

    Friday, August 30, 2013 6:49 PM

Answers

  • Hi,

    from the information you provided I see that you have a single-tier PKI, so just one CA. This is not a recommended setup, but this is not the point here.

    Start the Certification Authority, Click in the CA name and select Properties. On the General tab click on View Certificate. Go to the Details tab and click on Copy to File. Go through the certificate export wizard accepting all defaults and save the file. Then import this file in RSA.

    Regards,

    Lutz

    • Marked as answer by iworkhere Sunday, September 01, 2013 3:46 PM
    Friday, August 30, 2013 7:28 PM

All replies

  • Hi,

    from the information you provided I see that you have a single-tier PKI, so just one CA. This is not a recommended setup, but this is not the point here.

    Start the Certification Authority, Click in the CA name and select Properties. On the General tab click on View Certificate. Go to the Details tab and click on Copy to File. Go through the certificate export wizard accepting all defaults and save the file. Then import this file in RSA.

    Regards,

    Lutz

    • Marked as answer by iworkhere Sunday, September 01, 2013 3:46 PM
    Friday, August 30, 2013 7:28 PM
  • Thanks Lutz, that did the trick.  Can you tell me more about why a single-tier is bad and how i can redesign the architecture to be proper?
    Sunday, September 01, 2013 3:47 PM
  • Sure. So the root CA is has the highest trust level in a PKI hierarchy and needs the most protection against an attacker (coworker, hacker) can just copy the private key and start his own "shadow PKI" and issue valid certificates. So if the root CA is an Enterprise CA the protecting us week because the CA is online all the time.

    Other point is, you cant revoke a Root CA. You can only start with a new Root CA. Depending on what you already do, or plan to do, with your PKI that can be a high-effort job to issue a new Root CA certificate, espacially if you have unmanaged machines (not AD-integrated) or application like Java or Firefox with their own certificates stores. It is in most cases a lot of manual effort in little time (between shutting down the old Root CA and having the new Root CA certificate rolled out).

    So the best is to run the Root CA offline (laptop or desktop computer) with restricted access to the physical machine (e.g. security fault) and to the OS.

    And then the issuing CA is a SubCA of the Root CA and if something happens you can much easier to replace the SubCA with a new one then the Root CA. But even that, you should protect the SubCA as best as you can as well. More and more organization use specialized hardware to avoid situations I have described above.

    Hope that helps,

    Lutz

    Tuesday, September 03, 2013 5:25 AM
  • Thanks Lutz,

    Do you have any documentation on how i can setup a laptop to be the new root ca and do things properly?

    Thank you,

    Friday, September 27, 2013 6:10 PM