Use LDAP Over SSL to Lock Down Active Directory Traffic

This applies to SafeConsole On-Prem 5.x

The standard protocol for reading data from and writing data to Active Directory (AD) domain controllers (DCs) is LDAP.

To make LDAP traffic secure, you can use the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocols; this combination is referred to as LDAP over SSL -- or LDAPS. To ensure that no one else can read the traffic, SSL/TLS establishes an encrypted tunnel between an LDAP client and a Windows Domain Controller.

To use LDAP over SSL with SafeConsole's Active Directory integration please follow the following steps (applies to version 5.0.4 and up):

  1. Verify you can connect to your AD with a normal LDAP connection on port 389.  (This is optional but ensures we have the proper login credentials and AD server hostname).
  2. Open "Command Prompt" with Administrator rights.
  3. Stop SafeConsole service with the command: net stop safeconsole
  4. Download your AD's Root CA certificate (x.509 formatted) to your desktop.
  5. Change working directory to your desktop: cd %USERPROFILE%\Desktop 
  6. Run this command to import the certificate into the Java keystore used by SafeConsole: "c:\program files\safeconsole\jre\bin\keytool.exe" -import -trustcacerts -alias ad_root_ca -file your_root_ca_certificate.cer -keystore "c:\program files\safeconsole\jre\lib\security\cacerts" 
  7. At the password prompt enter the default password: changeit
  8. Answer Yes to trust the certificate.
  9. Edit the SafeConsole.ini file with command: notepad "c:\program files\safeconsole\SafeConsole.ini"
  10. Find and change lines: ldap-protocol=ldaps and ldap-port=636
  11. Save file and run the SafeConsoleConfigurator.
  12. Go through the setup tool to properly set correct settings and start SafeConsole.
  13. You should now be able to connect SafeConsole securely over LDAPS.  You may check the port that SafeConsole.exe is using by running command (It should now be using port 636 instead of 389.): netstat -ab

Please feel free to submit a ticket if you are still having issues.