NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)
Summary: This KB details the process that is required for configuring "AD over SSL" (LDAPS) from the NetWorker Web User Interface (NWUI).
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
To configure SSL authentication, import the root CA (or CA chain) into the cacerts file used by NetWorker's authc server. In single NetWorker server environments, the server is the authentication server; in larger datazones, one authc server can be the primary authentication server for multiple servers. See the Additional Info field for instructions on identifying the authc server.
Configuring AUTHC to use SSL
Linux NetWorker servers:
- Open an SSH session to the NetWorker authc server.
- Switch to root:
$ sudo su -
- Use OpenSSL to get the CA certificate (or certificate chain) from the domain server:
# openssl s_client -connect DOMAIN_SERVER_ADDRESS:636 -showcerts
The CA certificate is enclosed within -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. If a chain certificate is used, multiple certificates where the first certificates listed are intermediate certificates and the last certificate listed is the root CA.
- Single certificate: Copy the certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and put it in a file called RCAcert.crt in a location of your choosing.
- Certificate chain: Copy each certificate (including their -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- fields) and put them into individual files. For example ICA3cert.crt, ICA2cert.crt, ICA1cert.crt, and lastly RCAcert.crt.
- To help facilitate the process, set the following command-line variables:
# java_bin=<path to java bin dir> *NOTE* For NetWorker Runtime Environment (NRE) this is /opt/nre/java/latest/bin. If you are using Oracle licensed Java Runtime Environment, specify the path to your JRE bin directory. # RCAcert=<path to RCAcer.crt> # ICA1cert=<path to ICA2cert.crt> *NOTE* Only required if you are using a certificate chain, repeat this for each intermediate cert ICA2cert.crt, ICA3.crt and so forth.
Example:
[root@nsr certs]# java_bin=/opt/nre/java/latest/bin [root@nsr certs]# RCAcert=/root/certs/RCAcert.crt [root@nsr certs]#
- Import the certificates:
A. When using a certificate chain, import each certificate in the chain leading up to the root certificate (RCA). If only a single root CA is used, import the root CA.
# $java_bin/keytool -import -alias ICA3 -keystore $java_bin/../lib/security/cacerts -file $ICA3cert -storepass changeit # $java_bin/keytool -import -alias ICA2 -keystore $java_bin/../lib/security/cacerts -file $ICA2cert -storepass changeit # $java_bin/keytool -import -alias ICA1 -keystore $java_bin/../lib/security/cacerts -file $ICA1cert -storepass changeit # $java_bin/keytool -import -alias RCA -keystore $java_bin/../lib/security/cacerts -file $RCAcert -storepass changeit
You are prompted to accept the certificate into the cacerts keystore.
B. If you are alerted of a duplicate alias (previous, expired certificate), delete the existing certificate with the same alias:
# $java_bin/keytool -delete -alias ALIAS_NAME -keystore $java_bin/../lib/security/cacerts -storepass changeit
Repeat step A after the old certificate has been removed.
- Restart NetWorker server services. Restarting services reloads the cacerts file during authc startup. If NetWorker services are not restarted after importing the certificates, the process to configure the external authority in NetWorker fails with a certificate-related error.
# nsr_shutdown # systemctl start networker
Windows NetWorker Servers:
NOTE: Use OpenSSL to connect to the domain server and obtain the CA certificate (or chain) needed for AD over SSL. Windows servers do not include OpenSSL by default; however, it can be installed. Alternatively, instead of using OpenSSL, the domain administrator can provide the CA certificate (and chain if used). They must be provided in PEM format. Using OpenSSL directly from the authentication server is the preferred method.
- Open an Administrator Command Prompt.
- Set the following variables:
set openssl="<path to openssl.exe file>" *NOTE* This path can differ depending on how OpenSSL was installed. set java_bin="<path to java bin directory>" *NOTE* For NetWorker Runtime Environment (NRE) the default path is "C:\Program Files\NRE\java\jre#.#.#_###\bin". This path includes the NRE version specific Java version and build. When using Oracle licensed Java Runtime Environment, specify the path to the JRE bin directory.
Example:
C:\Users\administrator.AMER>set openssl="C:\Program Files\OpenSSL-Win64\bin\openssl.exe" C:\Users\administrator.AMER>set java_bin="C:\Program Files\NRE\java\jre1.8.0_431\bin" C:\Users\administrator.AMER>
- Use OpenSSL to get the CA certificate (or certificate chain) from the domain server:
%openssl% s_client -connect DOMAIN_SERVER_ADDRESS:636 -showcerts
The CA certificate is enclosed within -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. If a chain certificate is used, multiple certificates appear: the first are intermediate certificates, and the last is the root CA.
- Single certificate: Copy the certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and put it in a file called RCAcert.crt in a location of your choosing.
- Certificate chain: Copy each certificate (including their -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- fields) and put them into individual files. For example ICA3cert.crt, ICA2cert.crt, ICA1cert.crt, and lastly RCAcert.crt.
- Set command-line variables for the root CA, and any intermediate certificate (if used):
set RCAcert="<path to RCAcert.crt>" set ICA1cert="<path to ICA1cert.crt>"
Example:
C:\Users\administrator.AMER>set RCAcert="C:\tmp\certs\RCAcert.crt"
- Import the certificates:
A. When using a certificate chain, import each certificate in the chain leading up to the RCA. If only a single root CA is used, import the root CA.
%java_bin%\keytool -import -alias ICA3 -keystore %java_bin%\..\lib\security\cacerts -file %ICA3cert% -storepass changeit %java_bin%\keytool -import -alias ICA2 -keystore %java_bin%\..\lib\security\cacerts -file %ICA2cert% -storepass changeit %java_bin%\keytool -import -alias ICA1 -keystore %java_bin%\..\lib\security\cacerts -file %ICA1cert% -storepass changeit %java_bin%\keytool -import -alias RCA -keystore %java_bin%\..\lib\security\cacerts -file %RCAcert% -storepass changeit
You are prompted to accept the certificate into the cacerts keystore.
B. If you are alerted of a duplicate alias (previous, expired certificate), delete the existing certificate with the same alias:
%java_bin%\keytool -delete -alias ALIAS_NAME -keystore %java_bin%\..\lib\security\cacerts -storepass changeit
Repeat step A after the old certificate has been removed.
- Restart NetWorker server services. Restarting services reloads the cacerts file during authc startup. If NetWorker services are not restarted after importing the certificates, the process to configure the external authority in NetWorker fails with a certificate-related error.
net stop nsrd net start nsrd
Creating "AD over SSL" external authority resource from NWUI.
- From a web browser, access the NWUI server: https://nwui-server-name:9090/nwui
- Log in using the NetWorker Administrator account.
- From the menu, expand Authentication Server and click External Authorities.
- From External Authorities, click Add+.
- Populate the configuration fields:
Base Configuration
|
Field
|
Value
|
|
Name
|
A descriptive name, without spaces for the LDAP or AD configuration. The maximum number of characters is 256. Specify ASCII characters in the configuration name only.
|
|
Server Type
|
AD over SSL
|
|
Provider Server Name
|
Specifies the hostname or IP address of the Active Directory Server
|
|
Port
|
Port 636 is used for SSL, this field should populate automatically if "AD over SSL" is selected.
|
|
Tenant
|
Select the tenant if configured. If no tenant is configured or required, you can use the "default."
Configuring a tenant requires the following login syntax "tenant_name\domain_name\user_name." If the default tenant is used (common), then the login syntax is "domain_name\user_name." Tenant—Top-level organizational container for the NetWorker Authentication Service. Each external authentication authority in the local database is assigned to a tenant. A Tenant can contain one or more Domains, but the domain names must be unique within the tenant. NetWorker Authentication Service creates one integrated tenant name Default, which contains the Default domain. Creating multiple tenants helps you to manage complex configurations. For example, service providers with restricted datazones (RDZ) can create multiple tenants to provide isolated data protection services to tenant users. |
|
Domain
|
The full domain name including all DC values; e.g: example.com
|
|
User DN
|
Specifies the full distinguished name (DN) of a user account that has full read access to the AD directory
|
|
User DN Password
|
Specifies the password of the user account that is used to access and read the AD direct
|
Advanced Configuration
|
Group Object Class
|
Required. The object class that identifies groups in the LDAP or AD hierarchy.
● For LDAP, use groupOfUniqueNames or groupOfNames ● For AD, use group |
|
Group Search Path (optional)
|
A DN that specifies the search path that the authentication service should use when searching for groups in the LDAP or AD hierarchy.
|
|
Group Name Attribute
|
The attribute that identifies the group name; For example, cn.
|
|
Group Member Attribute
|
The group membership of the user within a group:
● For LDAP:
○ When the Group Object Class is groupOfNames the attribute is commonly member.
○ When the Group Object Class is groupOfUniqueNames the attribute is commonly uniquemember.
● For AD, the value is commonly member.
|
|
User Object Class
|
The object class that identifies the users in the LDAP or AD hierarchy. For example, person.
|
|
User Search Path (optional)
|
The DN that specifies the search path that the authentication service should use when searching for users in the LDAP or AD hierarchy. Specify a search path that is relative to the base DN that you specified in the configserver-address option. For example, for AD, specify cn=users.
|
|
User ID Attribute
|
The user ID that is associated with the user object in the LDAP or AD hierarchy.
For LDAP, this attribute is commonly uid. For AD, this attribute is commonly sAMAccountName. |
NOTE: Consult with your AD/LDAP admin to confirm which AD/LDAP specific fields are needed for your environment.
- When done click save.
- A summary of the configured external authority resource should now appear:
- From the Server > User Groups menu, Edit the User Groups that contain the rights that you want to delegate to AD/LDAP Groups or Users. To grant full Admin rights, specify the AD group/user DN in the External Roles field of the Application Administrators and Security Administrators roles.
for example, CN=NetWorker_Admins,DC=amer,DC=lan
This can also be done from the command line:
nsraddadmin -e "Distinguished_Name"
Example:
nsr:~ # nsraddadmin -e "CN=NetWorker_Admins,OU=Groups,dc=amer,dc=lan"
134751:nsraddadmin: Added role 'CN=NetWorker_Admins,OU=Groups,dc=amer,dc=lan' to the 'Security Administrators' user group.
134751:nsraddadmin: Added role 'CN=NetWorker_Admins,OU=Groups,dc=amer,dc=lan' to the 'Application Administrators' user group.
- Once the AD group or user DNs have been specified, click Save.
- Log out of the NWUI interface and log back in using the AD account:
- The user icon in the upper-right corner indicates which user account is signed in.
Additional Information
Confirming the AUTHC server used for NetWorker authentication
The NetWorker Management Console (NMC) server's gstd.conf file shows which host is used to process login requests:
Linux: /opt/lgtonmc/etc/gstd.conf
Windows: C:\Program Files\EMC NetWorker\Management\GST\etc\gstd.conf
Check the file for the authsvc_hostname value. The authsvc_hostname is the authc (authentication) server.
How to check AD group membership and get the Distinguished Name (DN) values needed for NetWorker permissions:
You can use the authcmgmt command on your NetWorker server to confirm that the AD/LDAP groups/users are visible:
authc_mgmt -u Administrator -p 'NetWorker_Admin_Pass' -e query-ldap-users -D query-tenant=tenant_name -D query-domain=domain_name authc_mgmt -u Administrator -p 'NetWorker_Admin_Pass' -e query-ldap-groups -D query-tenant=tenant_name -D query-domain=domain_name authc_mgmt -u Administrator -p 'NetWorker_Admin_Pass' -e query-ldap-groups-for-user -D query-tenant=tenant_name -D query-domain=domain_name -D user-name=ad_username
Example:
[root@nsr ~]# authc_mgmt -u Administrator -p '!Password1' -e query-ldap-users -D query-tenant=default -D query-domain=amer.lan The query returns 47 records. User Name Full Dn Name Administrator CN=Administrator,CN=Users,dc=amer,dc=lan ... bkupadmin CN=Backup Administrator,CN=Users,dc=amer,dc=lan [root@nsr ~]# authc_mgmt -u Administrator -p '!Password1' -e query-ldap-groups -D query-tenant=default -D query-domain=amer.lan The query returns 72 records. Group Name Full Dn Name Administrators CN=Administrators,CN=Builtin,dc=amer,dc=lan ... NetWorker_Admins CN=NetWorker_Admins,OU=Groups,dc=amer,dc=lan [root@nsr ~]# authc_mgmt -u Administrator -p '!Password1' -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=amer.lan -D user-name=bkupadmin The query returns 1 records. Group Name Full Dn Name NetWorker_Admins CN=NetWorker_Admins,OU=Groups,dc=amer,dc=lan
NOTE: On some systems, the
authc commands may fail with an "incorrect password" error even when the correct password is given. This is due to the password being specified as visible text with the -p option. If you encounter this, remove -p password from the commands. You will be prompted to enter the password hidden after running the command.
Other Relevant Articles:
- NetWorker: How To Set up LDAP/AD using authc_config scripts
- NetWorker: How To Set up AD/LDAP Authentication
- NetWorker: How to reset Administrator password
- NetWorker: LDAPS integration fails with "An SSL handshake error occurred while attempting to connect to LDAPS server: Unable to find valid certification path to requested target"
- NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Linux)
- NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Windows)
Affected Products
NetWorkerProducts
NetWorker Family, NetWorker SeriesArticle Properties
Article Number: 000203005
Article Type: How To
Last Modified: 09 Sept 2025
Version: 10
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.