NetWorker: How To use authc_config scripts to configure LDAPS Authentication

Summary: This KB provides instructions on how to configure Secure Lightweight Directory Access Protocol (LDAPS) integration with NetWorker authentication. This process can be used for integrating Microsoft Active Directory (AD), or Linux LDAP external authentication services. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

This article can be broken down into the following sections. Carefully review each section before proceeding:

 

Prerequisites:

  • Determine which host is the authc server. This is helpful in larger NetWorker datazones. In smaller datazones with a single NetWorker server, the NetWorker server is the authentication server. 
  • Determine which Java Runtime Environment is used for the authentication service.
  • Set command-line variables to help facilitate importing the CA certificates used for SSL with NetWorker external authentication.

Setting up SSL:

  • Import the certificates used for LDAPS authentication into the authentication services runtime environment cacerts keystore.

Configuring the External Authority Resource:

  • Create the external authority resource in the authentication service.
  • Determine external users or groups to be used for NetWorker.
  • Define which external users or groups have access to the NetWorker Management Console (NMC).
  • Define the NetWorker server permissions external users and groups have.
  • (Optional) Configure FULL_CONTROL security permissions for an external user or group.

Prerequisites:

To use LDAPS, you must import the CA certificate (or certificate chain) from the LDAPS server into the NetWorker authentication server's Java cacerts keystore.

  1. Determine which host is the NetWorker Authentication server. This can be validated in the NetWorker Management Console (NMC) server's gstd.conf file:
Linux: /opt/lgtonmc/etc/gstd.conf
Windows: C:\Program Files\EMC NetWorker\Management\GST\etc\gstd.conf
 
NOTE: The gstd.conf file contains a string authsvc_hostname which defines the authentication server used to process login requests for the NetWorker Management Console (NMC).
  1. On the NetWorker authentication server, identify the Java instance used.
Windows:
A. Search About in the Windows search bar.
B. From About, click Advanced System Settings.
C. From System Properties, click Environment Variables.
D. The NSR_JAVA_HOME variable defines the path of the Java Runtime Environment used by NetWorker authc:

NSR_JAVA_HOME

      1. E. From an Administrative command prompt, set command-line variables specifying the java install path determined in the above step:
set JAVA="Path\to\java"
Example:
 Example setting JAVA variable Windows  
Facilitates java keytool commands in Setting up SSL and ensures the correct cacerts file imports the CA certificate. This variable is removed once the command-line session is closed and does not interfere with any other NetWorker operations.
 

Linux:

      1. A. Check the /nsr/authc/conf/installrc file to see which Java location was used when configuring the authentication service:
sudo cat /nsr/authc/conf/installrc
Example: 
[root@nsr ~]# cat /nsr/authc/conf/installrc
JAVA_HOME=/opt/nre/java/latest
NOTE: This variable only applies to NetWorker processes. It is possible that echo $JAVA_HOME will return a different path; for example, if Oracle Java Runtime Environment (JRE) is also installed. In the next step, it is important to use the $JAVA_HOME path as defined in NetWorker's /nsr/authc/conf/installrc file.

       

        B. ​​​​Set command-line variables specifying the java install path determined in the above step.

JAVA=/path/to/java
Example:
setting java variable Linux 
Facilitates java keytool commands in Setting up SSL and ensures the correct cacerts file imports the CA certificate. This variable is removed once the command-line session is closed and does not interfere with any other NetWorker operations.

 

Setting up SSL

To use LDAPS, you must import the CA certificate (or certificate chain) from the LDAPS server into the JAVA trust keystore. This can be done with the following procedure:

NOTE: The below process uses command-line variables set following the Prerequisites section. If the command-line variables are not set, specify the full java path instead.
1. Open an administrative/root command prompt.
2. Display a list of current trusted certificates in the trust store.
Windows: 
%JAVA%\bin\keytool -list -keystore %JAVA%\lib\security\cacerts -storepass changeit
Linux: 
$JAVA/bin/keytool -list -keystore $JAVA/lib/security/cacerts -storepass changeit
3. Review the list for an alias that matches your LDAPS server (this may not exist). You can use operating system grep or findstr commands with the above command to narrow the search. If there is an outdated or existing CA certificate from your LDAPS server, delete it with the following command:

Windows:

%JAVA%\bin\keytool -delete -alias ALIAS_NAME -keystore %JAVA%\lib\security\cacerts -storepass changeit
Linux: 
$JAVA/bin/keytool -delete -alias ALIAS_NAME -keystore $JAVA/lib/security/cacerts -storepass changeit
NOTE: Replace ALIAS_NAME with the alias name of the old or expired certificates from step 2.
    4. Use the OpenSSL tool to obtain a copy of the CA certificate from the LDAPS server. 
    openssl s_client -showcerts -connect LDAPS_SERVER:636
    • By default, Windows hosts do not include the openssl program. If it is not possible to install OpenSSL on the NetWorker server, the certificates can be exported directly from the LDAPS server; however, it is highly recommended to use the OpenSSL utility. 
    • Linux typically comes with openssl installed. If Linux server's exist in the environment, you can use openssl there to collect the certificate files. These can be copied to and used on the Windows authc server.
    • If you do not have OpenSSL, and it cannot be installed have your AD admin provide one or more certificates by exporting them as Base-64 encoded x.509 format.
    • Replace LDAPS_SERVER with the hostname or IP address of your LDAPS server.
    5. The above command outputs the CA certificate or a chain of certificates in Privacy Enhanced Mail (PEM) format, e.g: 
    -----BEGIN CERTIFICATE-----
MIIGQDCCBSigAwIBAgITbgAAAAiwkngyAQWDwwACAAAACDANBgkqhkiG9w0BAQsF
ADBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbWNs
...
7NZfi9DiEBhpFmbF8xP96qB/kTJC+29t/0VE8Fvlg87fRhs5BceIoX8nUnetNCdm
m4mGyefXz4TBTwD06opJf4NQIDo=
-----END CERTIFICATE-----
    NOTE: If there is a chain of certificates, the last certificate is the CA certificate. You must import each certificate in the chain in order (top down) ending with the CA certificate.
     
    6. Copy the certificate starting from ---BEGIN CERTIFICATE--- and ending with ---END CERTIFICATE--- and paste it into a new file. If there is a chain of certificates, you must do this with each certificate.
    7. Import the certificate or certificates created in 3, c into the JAVA trust keystore:
    Windows: 
    %JAVA%\bin\keytool -import -alias ALIAS_NAME -keystore %JAVA%\lib\security\cacerts -storepass changeit -file \PATH_TO\CERT_FILE

    Linux:

    $JAVA/bin/keytool -import -alias ALIAS_NAME -keystore $JAVA/lib/security/cacerts -storepass changeit -file /PATH_TO/CERT_FILE
    • Replace ALIAS_NAME with an alias for the imported certificate (For example, RCA (root CA)). When importing multiple certificates for a certificate chain, each certificate must have a different ALIAS name and be imported separately. The certificate chain must also be imported in order from step 5 (top down).
    • Replace PATH_TO\CERT_FILE with the location of the cert file that you created in step 6.
    8. You are prompted to import the certificate, type yes and press enter. 
    C:\Users\administrator>%JAVA%\bin\keytool -import -alias RCA -keystore %JAVA%\lib\security\cacerts -storepass changeit -file C:\root-ca.cer
Owner: CN=networker-DC-CA, DC=networker, DC=lan
Issuer: CN=networker-DC-CA, DC=networker, DC=lan
Serial number: 183db0ae21d3108244254c8aad129ecd
...
...
...

Trust this certificate? [no]:  yes
Certificate was added to keystore
    9. Confirm that the certificate is shown in the keystore:
    Windows: 
    %JAVA%\bin\keytool -delete -alias ALIAS_NAME -keystore %JAVA%\lib\security\cacerts -storepass changeit

    Linux:

    $JAVA/bin/keytool -delete -alias ALIAS_NAME -keystore $JAVA/lib/security/cacerts -storepass changeit
    NOTE: Pipe (|) the operating system grep or findstr command to the above to narrow the result. 
    C:\Users\administrator>%JAVA%\bin\keytool -list -keystore %JAVA%\lib\security\cacerts -storepass changeit | findstr RCA
RCA, Jan 15, 2025, trustedCertEntry,
    10. Restart the NetWorker server services. 
    Windows:  
    net stop nsrd
net start nsrd
    Linux:  
    nsr_shutdown
service networker start
    NOTE: Restart NetWorker server services to ensure authc reads the cacerts file and detects imported certificates for SSL communication with the LDAP server.

     

    Configuring the External Authority Resource

    This process can be performed from the NetWorker Management Console (NMC) or NetWorker Web User Interface:

    The process in this article focuses on using scripts provided with the NetWorker software. NetWorker authentication server includes authc_config script templates in the following location:

    Windows: C:\Program Files\EMC NetWorker\nsr\authc-server\scripts\
    Linux: /opt/nsr/authc-server/scripts/
    NOTE: The paths shown assume the default NetWorker installation path is used. If NetWorker is installed in another location, modify the paths accordingly.
     
    There are two scripts that can be used. The script used depends on the external authentication method used. Using the incorrect script can result in failures.
    • For Microsoft Active Directory, use authc-create-ad-config.x.template
    • For Linux LDAP (OpenLDAP, so forth), use authc-create-ldap-config.x.template
    NOTE: The script includes .bat.template if the authentication server is Microsoft Windows, and .sh.template if Linux.

    Create a copy of the template file needed and remove .template from the file name. This leaves you with a .bat or .sh script to be run from the command line after populating it with the external authority details.

    Example contents from authc-create-ad-config.sh.template: 
    authc_config -u administrator -p <password> -e add-config \
-D "config-tenant-id=<tenant_id>" \
-D "config-active-directory=y" \
-D "config-name=<authority_name>" \
-D "config-domain=<domain_name>" \
-D "config-server-address=<protocol>://<hostname_or_ip_address>:<port>/<base_dn>" \
-D "config-user-dn=<user_dn>" \
-D "config-user-dn-password=<user_password>" \
-D "config-user-search-path=<user_search_path>" \
-D "config-user-id-attr=sAMAccountName" \
-D "config-user-object-class=<user_object_class>" \
-D "config-group-search-path=<group_search_path>" \
-D "config-group-name-attr=cn" \
-D "config-group-object-class=group" \
-D "config-group-member-attr=member" \
-D "config-user-search-filter=" \
-D "config-group-search-filter=" \
-D "config-search-subtree=n" \
-D "config-user-group-attr=memberOf" \
-D "config-object-class=objectClass"
    NOTE: Any value in the script inside < > must be changed. The values not inside < > can be left as is. 

    The following table details the parameters defined in the configuration file.

    config-tenant-id
    		Tenants can be used in environments where more than one authentication method may be used or when multiple authorities must be configured. Creating a tenant is optional. You can use the default tenant, config-tenant-id=1.
    • When the default tenant is used, you can log in to the NMC using "domain\user"
    • When a tenant (other than default is used), you must specify it during authentication "tenant\domain\user"
    config-active-directory If you are using a Microsoft Active Directory (AD) server: y. This is the default setting in the authc-create-ad-config.x.template
    If you are using an LDAP server (e.g: OpenLDAP): n. This is the default setting in the authc-create-ldap-config.x.template.
    config-name This name is only an identifier for the authentication configuration being added to NetWorker. 
    config-domain This is the domain name that is used for logging into NetWorker, for example: networker.lan. This field should match the Domain Component (DC) values of the domain.
    config-server-address <protocol>://<hostname_or_ip_address>:<port>/<base_dn>
    Protocol:
    • Specify ldap if non-SSL communication is used.
    • Specify ldaps if you are configuring SSL communication.
    • ldap or ldaps must be lower case.
    Hostname/IP address:
    • Specify the fully resolvable hostname or IP address of your AD or LDAP server.
    Port:
    • If you are using LDAP, specify port 389.
    • If you are using LDAPS, specify port 636.
    Base-DN:
    • Specify your Base Distinguished Name (DN) which is consisted of your Domain Component (DC) values of your domain, for example: DC=my,DC=domain,DC=com. 
    config-user-dn Specify the full Distinguished NameThis hyperlink is taking you to a website outside of Dell Technologies. (DN) of a user account that has full read access to the LDAP or AD directory, for example: CN=Administrator,CN=Users,DC=my,DC=domain,DC=com.
    config-user-dn-password Specify the password for the account specified in the config-user-dn.
    config-user-search-path This field can be left blank in which case authc can query the full domain. Permissions must be granted for NMC/ NetWorker server access before these users/groups can log in the NMC and manage the NetWorker server. If a Base DN was specified in the config-server-address, specify the relative path (excluding the Base DN) to the domain.
    config-user-id-attr The user ID that is associated with the user object in the LDAP or AD hierarchy.
    • For LDAP, this attribute is commonly uid.
    • For AD, this attribute is commonly sAMAccountName.
    config-user-object-class The object class that identifies the users in the LDAP or AD hierarchy.
    For example, inetOrgPerson (LDAP) or user (AD)
    config-group-search-path Like config-user-search-path this field can be left blank in which case authc is capable of querying the full domain. If a Base DN was specified in the config-server-address, specify the relative path (excluding the Base DN) to the domain.
    config-group-name-attr The attribute that identifies the group name. For example, cn
    config-group-object-class The object class that identifies groups in the LDAP or AD hierarchy.
    • For LDAP, use groupOfUniqueNames or groupOfNames
      • NOTE:: There are other group object classes aside from groupOfUniqueNames and groupOfNames.  Use whatever object class is configured in the LDAP server.
    • For AD, use group
    config-group-member-attr The group membership of the user within a group
    • For LDAP:
      • When the Group Object Class is groupOfNames, the attribute is commonly member.
      • When the Group Object Class is groupOfUniqueNames, the attribute is commonly uniquemember.
    •  For AD, the value is commonly member.
    config-user-search-filter (Optional.) The filter that the NetWorker Authentication Service can use to perform user searches in the LDAP or AD hierarchy. RFC 2254This hyperlink is taking you to a website outside of Dell Technologies. defines the filter format.
    config-group-search-filter (Optional.) The filter that the NetWorker Authentication Service can use to perform group searches in the LDAP or AD hierarchy. RFC 2254This hyperlink is taking you to a website outside of Dell Technologies. defines the filter format.
    config-search-subtree (Optional.) A yes or no value that specifies if the external authority should perform subtree searches.
    Default value: no
    config-user-group-attr (Optional.) This option supports configurations that identify the group membership for a user within the properties of the user object. For example, for AD, specify the attribute memberOf.
    config-object-class (Optional.) The object class of the external authentication authority. RFC 4512This hyperlink is taking you to a website outside of Dell Technologies. defines the object class. Default value: objectclass.

     

    Example: 
    authc_config -u administrator -p 'NetWorker_Administrator_Password' -e add-config \
-D "config-tenant-id=1" \
-D "config-active-directory=y" \
-D "config-name=ad" \
-D "config-domain=networker.lan" \
-D "config-server-address=ldaps://dc.networker.lan:636/DC=networker,DC=lan" \
-D "config-user-dn=CN=Administrator,CN=Users,DC=networker,DC=lan" \
-D "config-user-dn-password=XXXXXXXX" \
-D "config-user-search-path=" \
-D "config-user-id-attr=sAMAccountName" \
-D "config-user-object-class=user" \
-D "config-group-search-path=" \
-D "config-group-name-attr=cn" \
-D "config-group-object-class=group" \
-D "config-group-member-attr=member" \
-D "config-user-search-filter=" \
-D "config-group-search-filter=" \
-D "config-search-subtree=y" \
-D "config-user-group-attr=memberOf" \
-D "config-object-class=objectClass"
    Once the script is populated, run it from an Administrator command prompt (Windows) or root SSH session (Linux). 
    [root@nsr ~]# /opt/nsr/authc-server/scripts/authc-create-ad-config.sh
Configuration ad is created successfully.

    Configuring NMC to accept external authentication:

    1. Log in to the NMC as the default NetWorker Administrator account.
    2. Go to Setup-->Users and Roles-->NMC Roles.
    3. Add the group DN collected from the above step to the "External Roles" field of the appropriate roles for that AD group. Full Administrators should have "Console Application Administrator" and "Console Security Administrator" Roles. (See the NetWorker Security Configuration Guide for more information about these roles.)
    NMC external roles
     

    Configuring the NetWorker server external user permissions:

    1. As the default NetWorker Administrator account, connect to the NetWorker server.
    2. Go to Server-->User Groups. 
    3. Add the group DN to the "External Roles" field of the appropriate roles for that AD group. Full Administrators should have "Application Administrators" and "Security Administrators" permissions.
    NetWorker User Group external roles
    Alternatively, this can be accomplished using the nsraddadmin command on the NetWorker server: 
    nsraddadmin -e "USER/GROUP_DN"
    Example: 
    [root@nsr ~]#  nsraddadmin -e "CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan"
134749:nsraddadmin: 'CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan' added to the 'external roles' list of 'Security Administrators' user group.
134749:nsraddadmin: 'CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan' added to the 'external roles' list of 'Application Administrators' user group.

    Access the NMC:

    You should have access to the NMC and NetWorker server with the external users who have been granted permission to do so.
    logging in to the NMC with an external user
    Once logged in the AD/LDAP username appears in the upper right corner of the NMC:
    authenticated external user shown in NMC

    Extra Security Permissions

    (OPTIONAL) If you want an AD/LDAP group to be able to manage External Authorities you must perform the following on the NetWorker server.
     
    Using the AD group DN you want to grant FULL_CONTROL permission to run: 
    authc_config -u Administrator -p 'NetWorker_Administrator_Password' -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="AD/LDAP_group_dn"
    Example: 
    [root@nsr ~]# authc_config -u Administrator -p '!Password1' -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan"
Permission FULL_CONTROL is created successfully.

nve:~ # authc_config -u Administrator -p '!Password1' -e find-all-permissions
The query returns 2 records.
Permission Id Permission Name Group DN Pattern                Group DN
1             FULL_CONTROL    ^cn=Administrators,cn=Groups.*$
2             FULL_CONTROL                                    CN=NetWorker_Admins,OU=DELL,dc=networ...

    Additional Information

    NetWorker: AD and LDAP Integration and Configuration (Troubleshooting Guide)

    Affected Products

    NetWorker

    Products

    NetWorker
    Article Properties
    Article Number: 000020799
    Article Type: How To
    Last Modified: 28 Mar 2025
    Version:  6
    Find answers to your questions from other Dell users
    Support Services
    Check if your device is covered by Support Services.