BusinessObjects Enterprise Administrator's Guide

Configuring the Secure Socket Layer authentication for LDAP

Note:    This section describes the CMC related information for configuring SSL for LDAP only. For additional information or for information on configuring the LDAP host server, refer to http://www.techsupport.businessobjects.com or your LDAP vendor documentation.

To configure the Secure Socket Layer authentication

1. If necessary, go to the Authentication management area of the CMC again. Click the LDAP tab, and then click Start LDAP Configuration Wizard. Click Next until the screen of the wizard asks for the Secure Socket Layer authentication information. Otherwise, skip to step 2.
2. Select the type of SSL authentication (Basic (no SSL), Server Authentication, or Mutual Authentication) your LDAP hosts uses to establish a connection with BusinessObjects Enterprise. Click Next.
3. If you selected Server Authentication or Mutual Authentication, choose one of the following options:
• Always accept server certificate

  This is the lowest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive a security certificate from the LDAP host. BusinessObjects Enterprise does not verify the certificate it receives.

• Accept server certificate if it comes from a trusted Certificate Authority

  This is a medium security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database.

  Tip:    Java applications (such as the Java version of InfoView) always use this option, regardless of the setting you choose.

• Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server

  This is the highest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database. It must also be able to confirm that the CN attribute on the server certificate exactly matches the host name of the LDAP host as you typed it in the "Add LDAP host" field in the first step of the wizard. That is, if you entered the LDAP host name as ABALONE.rd.crystald.net:389, using CN =ABALONE:389 in the certificate would not work.

  Tip:    The host name on the server security certificate is the name of the primary LDAP host. Therefore if you select this option you cannot use a failover LDAP host.

4. In the SSL host box, you must next add the host name of each machine in your BusinessObjects Enterprise system that uses the BusinessObjects Enterprise SDK. (This includes the machine running your Central Management Server and the machine running your WCA.)

Type the host name of each machine in the SSL Host box, and then click Add.

 

5. Now configure the SSL settings for each SSL host in the list, starting with the default host.
• To select settings for the default host, first clear the Use default value boxes. Then type your values for the path to the certificate and key database files, the password for the key database. Type a nickname for the client certificate in the cert7.db if you selected mutual authentication.

  The settings for the default host are used:

  • for any setting (for any host) where you leave the "Use default value" box checked.
  • for any machine whose name you do not explicitly add to the list of SSL hosts.
• To select settings for another host, select its name in the list on the left. Then type the appropriate values in the boxes on the right.
6. Click Next.
7. Proceed with configuring LDAP for single sign-on.