Part 3b: EJBCA Policy Server Configuration
The following sections cover setting up EJBCA as a Policy Server for auto-enrollment.
Step 1 - Configure Kerberos Authentication
The following sections cover how to enable Kerberos authentication for the EJBCA CEP and CES Services, allowing users and computers to authenticate to EJBCA using their Active Directory credentials.
- In EJBCA Admin Web, click Autoenrollment Configuration in the side menu.
- Click Add to add a new alias. The page to configure the new alias opens. Enter msae as the Name of the alias.
- Specify the AD server details:
- Forest Root Domain: Domain name of the AD Forest Root. For example, yourcompany.com (lower case)
- AD Domain Controller: Host and domain name of the Active Directory Domain Controller. For example, dsserver.yourcompany.com.
- Policy Name: Display name of the Certificate Enrollment Policy retrieved by clients (free text).
- Policy Update Interval: The value of 'nextUpdateHours' to be set for the policy response.
- Server Principal Name (SPN): SPN as created in Part 2: Group Policies and Certificate Templates. For example, HTTP/ejbcaserver.yourcompany.com@YOURCOMPANY.COM .'YOURCOMPANY.COM' is the name of the REALM and must be upper case.
- Kerberos Keytabs: Upload the Key Tab file for the SPN account created in Part 2: Group Policies and Certificate Templates.
Kerberos configuration (krb5): Upload a pre-configured krb5.conf (Kerberos configuration file) file. This file need to be manually created to match your domain configuration. Below is an example Krb5.conf file that can be tailored to match your domain.
The
enctypes
parameters may be changed to only allow specific cipher suites. However, the Key Tab file created in Part 2: Group Policies and Certificate Templates must support the same ciphers. AES256 with SHA1 (aes256-cts-hmac-sha1-96) should be supported on all recent systems. To enforce this cipher the Keytab file must contain only AES256 keys. In this case, the service account encryption settings should enable AES256 only.CODE[libdefaults] default_realm = YOURCOMPANY.COM default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc default_tgs_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc permitted_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc [realms] YOURCOMPANY.COM = { kdc = yourcompany.com default_domain = yourcompany.com } [domain_realm] .yourcompany.com = YOURCOMPANY.COM
Use SSL: Set to true to enable SSL connection to Active Directory (LDAPS). This is optional and requires additional configuration as described in Enabling TLS for Active Directory Connection.
- Follow LDAP Referral: Enable if EJBCA should follow LDAP referrals which AD returns when a request for a resource cannot be serviced by the original domain controller being contacted, but can be handled by the referral. This is optional.
- Authentication Key Binding: If SSL is enabled, select the authentication key binding which establishes trust for the LDAPS Certificate.
- Active Directory Port: LDAP port to Active directory. Default are 389 and 636 for SSL.
- Ldap Read Timeout (milliseconds): Timeout for read operations from AD. When timeout is exceeded, read attempt is aborted. A value of zero means that the read attempt does not time out. It is recommended to set this higher than zero (e.g. 5000 ms).
- Ldap Connection Timeout (milliseconds): Timeout for connecting to AD. When timeout is exceeded, connection attempt is aborted. A value of zero means that the network protocol’s timeout value is used instead. It is recommended to set this higher than zero (e.g. 5000 ms).
AD User Login: Active directory bind account (created in Part 1: Configure Active Directory Domain Services) in any of the following formats:
YML• "autoenrollmentbind@yourcompany.com" (sAMAccountName followed by @, followed by either DNS name of a domain in the same forest or a value in the uPNSuffixes of the Partitions container in the config NC replica) • "CN=autoenrollment bind,CN=Users,DC=yourcompany,DC=com" (Full DN) • "autoenrollment bind" (Display Name LDAP Attribute)
AD User Password: Password for the bind account.
- Default CA: Default CA used for autoenrollment, signing enrolled certificates.
- KEC Certificate Profile: Certificate Profile used for Key Exchange Certificate. Select the profile which was created in Step 5 of Part 3a: EJBCA Configuration.
- Forest Root Domain: Domain name of the AD Forest Root. For example, yourcompany.com (lower case)
- Click Test Connection. The message "Active Directory connection test was successful" should be displayed at the top of the page.
- Click Save to store the configuration.
Step 2 - Mapping Certificate Templates to EJBCA Profiles
Each enrollment request coming from Microsoft clients contains a Certificate Template OID reference. In order to enroll certificates with proper attributes, each template intended for use must be mapped to EJBCA profiles. Given a successful AD connection in previous steps, the section MS Auto Enrollment Templates will contain a list of all certificate templates loaded from Active Directory.
To map Certificate Templates to EJBCA profiles:
- Click Select a Template and select Computer_Auto_Enrollment.
- Click Select End Entity Profile and select Computer_End_Entity_Profile.
- Click Select Certificate Profile and select Computer_Certificate_Profile.
- Click Add.
- Repeat the steps for User_Auto_Enrollment and its corresponding profiles, as well as for any other template you wish to create mappings for.
- Click Save.
Only templates which have been mapped to EJBCA profiles will be visible for the enrolling clients, assuming they have sufficient enrollment permissions on the mapped template.
If changes are made to the Certificate Templates in Active Directory after the mapping above has been done, the changes will not take effect until EJBCA has reloaded the profiles. To reload profiles in EJBCA, Edit the affected alias and click Save.
Note that changes to Template group security permissions take effect imminently as they are looked up for every request rather than being cached. The reload of templates only affects template attributes, such as "Subject name format", "Display name" and "Publish Certificates in Active Directory".
Step 3 - Enable the Service Endpoint
By default, EJBCA do not allow any incoming traffic to its CES and CEP Services.
To enable the services:
- In EJBCA, click System Configuration and select the Protocol Configuration tab.
- Click Enable on MSAE.