Mutual authentication using CA
To use the CMM certificate authority (CA) with an external LDAP server, you must import the CA certificate into the external LDAP server trust store. Up to three trusted certificates can be imported.
To establish mutual authentication using the CMM web interface, complete the following steps:
- Import the external LDAP server certificate or the CA chain that signed it into the CMM as an LDAP trusted certificate, as described in Importing an LDAP certificate with non-mutual authentication.
- Start a CMM web interface session. To start the CMM web interface, see Starting the web interface for instructions.
- Make sure that secure LDAP is enabled by clicking Mgt Module Management > Security > LDAP Client Security and selecting LDAPS under the CMM External LDAP Connection Security heading.
- Download the CMM CA to the specified server through the CMM web interface by clicking Mgt Module Management > Security > LDAP Client Security. Click Add in the Trusted Certificate - Public Root CA Certificate Per LDAP Server section under CMM External LDAP Client Certificate Management; then, select the option to either import the certificate file, or paste the certificate in PEM format and click Apply. Depending on your CMM configuration, supported server types can include TFTP, FTP, HTTP, HTTPS, and SFTP.NoteThe
CMM does not support external LDAP servers that use the certificate authority SHA256 to sign their certificates. See the documentation for your LDAP server for more information.
To establish mutual authentication using the CMM CLI, complete the following steps:
- Import the external LDAP server certificate or the CA chain that signed it into the CMM as an LDAP trusted certificate, as described in Importing an LDAP certificate with non-mutual authentication.
- Start a CMM CLI session (see Starting the command-line interface for instructions).Note
- The CMM does not support external LDAP servers that use the certificate authority SHA256 to sign their certificates
- The sslcfg command must be targeted to the primary CMM. The following example assumes that the command environment has been set to the primary CMM through the env command (see env command for information about command use). If the command environment has not been set to the primary CMM, you can direct the command to the primary CMM by using the -T mm[p] option (see Command targets for information).
- Make sure that secure LDAP is enabled by using the CMM CLI sslcfg -client enabled command. See sslcfg command for additional information about command use.
- Download the CMM CA to the specified server by using the CMM CLI sslcfg command. Depending on your CMM configuration, supported server types can include TFTP, FTP, HTTP, HTTPS, and SFTP. See sslcfg command for additional information about command use.
sslcfg -dnld ca -u <em className="ph i">URL_of_location_to_put_file</em>
where URL_of_location_to_put_file is a fully qualified location that specifies the server type, the IPv4 or IPv6 IP address of the server, and a valid file name, of up to 256 characters and containing any character except the percent sign ( % ) or double quotation marks ( " ). The forward slash ( / ) can be used only as part of the path name, not as part of the file name.
NoteFor information about how to specify a URL for file transfer, seeSpecifying a URL for file transfer. - Move the CA file from the server, where you downloaded it, to the external LDAP server.
- When the CA file is on the external LDAP server, import it so that the LDAP server trusts the certificate from the CMM (see the documentation for your LDAP server for information and instructions).
Give documentation feedback