Skip to main content
Skip table of contents

Managing LDAP over TLS/SSL for containerized masking

Prerequisites

The below libraries should be installed on the containerization masking engine:

  • openssl

  • keytool

Get the LDAP certificate

Get the LDAP certificate from the LDAP server: for example, if the LDAP server is: qa-ad.delphix.com

CODE 
openssl s_client -showcerts -connect qa-ad.delphix.com:636 -servername qa-ad.delphix.com

Create a user-ldap.cer file from the above LDAP certificate:

Create a file with the name user-ldap.cer and copy the code from the above output file to this file (only copy from -----BEGIN CERTIFICATE----- till -----END CERTIFICATE----- ).

Below is the sample output needs to be copied to the file: user-ldap.cer

CODE 
-----BEGIN CERTIFICATE-----
MIIGfDCCBGSgAwIBAgIIEqvHrbNVb88wDQYJKoZIhvcNAQELBQAwcjELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxSZWR3b29kIENpdHkxCzAJBgNV
BAoTAlFBMQwwCgYDVQQLDANSJkQxJDAiBgNVBAMTG3FhLWFkZGMwMS5xYS1hZC5k
ZWxwaGl4LmNvbTAeFw0yMDEwMTIyMjUwMDBaFw0zMDEwMTIyMjUwMDBaMHIxCzA
-----END CERTIFICATE-----

Import certificate to Keystore

Import certificate to keystore using keytool utility like below, assuming running the below command from the same location where we created user-ldap.cer file.

CODE 
keytool -import -trustcacerts -alias  .masking_certs -file user-ldap.cer -keystore .masking_certs -storepass changeit -noprompt

You can verify the imported certificate as below:

CODE 
keytool -list -keystore .masking_certs -v

Create configmap entry based on LDAP certificate

  1. use the Kubernetes command to create a configmap, for example:

CODE 
kubectl create configmap ldap-ssl-config --from-file=.masking_certs

Here ldap-ssl-config is the name of the created configmap entry, .masking_certs file contains the LDAP certificate. To verify that configmap entry is added to the pod instance run the following command:

CODE 
kubectl get configmap

Mount the configured configmap as volume

Add configmap entry as a volume to the pod instance in it's config .yaml file.  If you already have other volumes defined that new entry can go under the existing volumes section.  If not create a volumes: section as shown below:

CODE 
volumes:
          - name: ldap-ssl-cert-volume
            configMap:
              name: ldap-ssl-config

Here ldap-ssl-cert-volume is a name for the provided volume, ldap-ssl-config is the name of the previously created configmap entry.

Now we are ready to mount that volume to app container.  Under the containers: section of the pod's config .yaml file, find the app container and add another entry to its volumeMounts: as shown below:

CODE 
- name: ldap-ssl-cert-volume
              mountPath: /var/delphix/ssl/.masking_certs
              subPath: .masking_certs

Here ldap-ssl-cert-volume is a pod level provided volume, .masking_certs is a name of the certificate file (originally provided by the configured configmap).

For reference. , see the below-attached sample screenshot from kubernetes-config.yaml

code_image.png

Now deploy the pods as usual using the config file:

CODE 
kubectl create -f kubernetes-config.yaml
kubectl get pods

Enable ApplicationSettings for LDAP over TLS/SSL

Once the Containerization Masking engine is deployed successfully, setup and enable the LDAP over TLS/SSL accordingly.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close