Mutual authentication using CA

To use the CMM certificate authority (CA) with an external LDAP server, you must import the CA certificate into the external LDAP server trust store. Up to three trusted certificates can be imported.

To establish mutual authentication using the CMM web interface, complete the following steps:

  1. Import the external LDAP server certificate or the CA chain that signed it into the CMM as an LDAP trusted certificate, as described in Importing an LDAP certificate with non-mutual authentication.
  2. Start a CMM web interface session. To start the CMM web interface, see Starting the web interface for instructions.
  3. Make sure that secure LDAP is enabled by clicking Mgt Module Management > Security > LDAP Client Security and selecting LDAPS under the CMM External LDAP Connection Security heading.
  4. Download the CMM CA to the specified server through the CMM web interface by clicking Mgt Module Management > Security > LDAP Client > Generate a New Key and a Certificate Signing Request (CSR). Depending on your CMM configuration, supported server types can include TFTP, FTP, HTTP, HTTPS, and SFTP.
    Note: The CMM does not support external LDAP servers that use the certificate authority SHA256 to sign their certificates. See the documentation for your LDAP server for more information.

The following illustration shows where the "Generate a New Key and a Certificate Signing Request (CSR)" option can be found in the web interface.


Illustration showing where the "Generate and Import Externally Signed LDAP Client Certificate" option can be found in the web interface.

To establish mutual authentication using the CMM CLI, complete the following steps:

  1. Import the external LDAP server certificate or the CA chain that signed it into the CMM as an LDAP trusted certificate, as described in Importing an LDAP certificate with non-mutual authentication.
  2. Start a CMM CLI session (see Starting the command-line interface for instructions).
    Note:
    • The CMM does not support external LDAP servers that use the certificate authority SHA256 to sign their certificates
    • The sslcfg command must be targeted to the primary CMM. The following example assumes that the command environment has been set to the primary CMM through the env command (see env command for information about command use). If the command environment has not been set to the primary CMM, you can direct the command to the primary CMM by using the -T mm[p] option (see Command targets for information).
  3. Make sure that secure LDAP is enabled by using the CMM CLI sslcfg -client enabled command. See sslcfg command for additional information about command use.
  4. Download the CMM CA to the specified server by using the CMM CLI sslcfg command. Depending on your CMM configuration, supported server types can include TFTP, FTP, HTTP, HTTPS, and SFTP. See sslcfg command for additional information about command use.
    sslcfg -dnld ca -u URL_of_location_to_put_file

    where URL_of_location_to_put_file is a fully qualified location that specifies the server type, the IPv4 or IPv6 IP address of the server, and a valid file name, of up to 256 characters and containing any character except the percent sign ( % ) or double quotation marks ( " ). The forward slash ( / ) can be used only as part of the path name, not as part of the file name.

    Note: For information about how to specify a URL for file transfer, see Specifying a URL for file transfer.
  5. Move the CA file from the server, where you downloaded it, to the external LDAP server.
  6. When the CA file is on the external LDAP server, import it so that the LDAP server trusts the certificate from the CMM (see the documentation for your LDAP server for information and instructions).
Parent topic: Importing an LDAP certificate with mutual authentication