Fibre Channel (SAN)

Reply
N/A
Posts: 1
Registered: ‎02-11-2011

Implement LDAPS on a DCX SAN

Hello All,

My security folks are "requiring" me to implement LDAP over SSL (LDAPS) on my Brocade SAN.

We are currently using regular LDAP for authentication.

At a high level, my intentions were to:

1.  Obtain an LDAP certificate

2.  Run the command:   secCertUtil import -ldapcacert

3.  Run the command:  aaaconfig --change my.ldapserver.com -conf ldap -p 3269 -d mydomain.com

4.  Login using LDAPS  :-)

Am I (way) off base or did I miss anything? 

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: Implement LDAPS on a DCX SAN

you are right with your steps.

Have an eye while creating the CSR file. You have to enter information like Country and State and some other company information.

These entries should request from your security department or the person who creates the certificates. If this does not match together you will get problems.

This was my own experience and had some difficulties during implementing certificates.

I hope this helps.

Andreas

Occasional Contributor
Posts: 10
Registered: ‎07-20-2010

Re: Implement LDAPS on a DCX SAN

I have managed to get user authentication working using AD as the  LDAP source, and the FOS 7.x Administration Guide is better (though  still nowhere near good enough) in describing the steps you need to  follow to get it to work.

Unfortunately  I have not been able to get it to work with LDAPS, even though I have  imported the Root, plus the subordinate Ash Forest and AD Server  certificates to the SAN switch. It seems that these are not enough to  allow the switch to authenticate over SSL.

From  studying the Admin Guide, it would appear that I need to generate a  public and private key, and a certificate signing request (CSR), on each  switch, and for those to be transferred to the Certificate Authority  (CA) so a specific switch certificate could be created. This certificate  would then be transferred back to each switch and installed there.  Unfortunately for me, the customer doesn't allow self-signed  certification, and has only provided us with the above certificates,  which they maintain are enough. We have be able to use LDAPS with other  equipment (HP Servers) successfully in this manner, so we know that it  is possible.

Can anyone shed any light on how to troubleshoot LDAPS authentication issues with Brocade SAN switches?

Do I really need to generate the keys on each switch, or can I simply export the imported LDAP certificate, back to the CA server (Windows in this case)?

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook