Tuesday, May 15, 2018

Using Active Directory as the User Store for WSO2 Identity Server in Read Write Mode

Using an Active directory as a read only user store in WSO2 Identity Server is very much straight forward. It can be treated as a read-only LDAP and can be configured with slight modifications to the read only LDAP user store configurations.

However configuring an AD as a read/write user store need some additional work, because the update operations need to be run in ldaps (ldap + ssl). In this post I will show how to generate a certificate for the AD to be used for SSL connection. The next post will be on the configurations to be done at WSO2 IS to use this AD.

Open "Server Manager" and go to "Roles" 

Go to Add roles, and you will get a wizard

At the following screen select "Active directory certificate services"

Select the "Certificate Authority" as the role service to install

Specify the setup type as enterprise and CA type as Root CA

Create a private key using the default configurations (RSA with 2048 length)

Specify CN and validity and finish the installation

Now the Certificate Authority feature should have been installed. Launch it from the programs menu.

Now it will show the installed CA, right click and go to properties

Click "View Certificate" to view the certificate

Go to details tab and click "Copy to File" to initiate the certificate export wizard

Select Base 64 encoded X.509 as the format and specify the export location and finish the export

Now to complete the setup there are two more things remaining, that is to import the certificate to the WSO2 IS's truststore and to configure AD as a userstore of WSO2 IS.

To import the certificate to the truststore use the following key tool command.

keytool -import -trustcacerts -alias adcert -file cert_file_with_path.crt -keystore trustore_with_path.jks

cert_file_with_path.crt refers to the path of the certificate file you exported as in part 1. trustore_with_path.jks is the path of the WSO2 IS trustore which is at [wso2is_home]/repository/resources/security/client-truststore.jks

Finally we have to configure the user-mgt.xml of IS to use the AD as IS's primary userstore (If you are to use the AD as a secondary userstore you can use the similar property values at the admin console UI)

No comments:

Post a Comment