Configure Single Sign-on for LDAP or LDAPS

EnterWorks can be configured to manage users through an Identity Provider (IDP) using the LDAP or LDAPS protocol. Due to operational requirements, port, and LDAP/LDAPS differences, protocol usage may differ between development, test, QA, and production environments.

To configure LDAP or LDAPS, both the Classic and New UIs must be configured. The Classic UI must be configured first.

  1. If you are configuring for LDAPS, configure the certificate file.

    To configure the certificate file:

    1. Obtain from the customer the certificate file: 
      caCert.pem
      and store it in the folder: 
      <drive>:\Enterworks\certs\ldaps
      This file must be in PEM format and must be named as specified above.
    2. Copy the file: 
      <drive>:\Enterworks\jdk\jre\lib\security\cacerts
      to: 
      <drive>:\Enterworks\certs\tomcat.jks
    3. Set the keystore password to enterworks. If you want to set the password to something else, you can, but when you edit the services.bat file below, make sure to specify your password instead of enterworks. To set the password, open a command prompt and run the keytool utility by typing the following all in one line: 
      <drive>:\Enterworks\jdk\bin\keytool -storepasswd -keystore <drive>:\Enterworks\certs\tomcat.jks
      Respond to the questions it asks as follows:
      1. Enter the keystore password: changeit
      2. New keystore password: enterworks
      3. Re-enter the new keystore password: enterworks
    4. Import the caCert.pem file into the keystore. Open a command prompt and run the keytool utility by typing the following all in one line: 
      <drive>:\Enterworks\jdk\bin\keytool -import -alias tomcat 
-file <drive>:\Enterworks\certs\ldaps\caCert.pem 
-keystore <drive>:\Enterworks\certs\tomcat.jks
    5. Add the keystore to EPIM Tomcat. Edit: 
      <drive>:\Enterworks\EnableServer\tomcat\bin\services.bat
      Add to the following to the property: --JvmOptions. Make sure to replace <drive> with the actual drive name. If you are using a password other than enterworks, make sure to replace enterworks with your desired password. Note that although these settings have the term "SSL" in them, they are for LDAPS also. 
      -Djavax.net.ssl.trustStore=<drive>:\Enterworks\certs\tomcat.jks;
-Djavax.net.ssl.trustStorePassword=enterworks;
    6. Restart the EnableServerTomcat service. Open a command prompt and run the commands: 
      <drive>:\Enterworks\EnableServer\tomcat\bin\services.bat remove
      <drive>:\Enterworks\EnableServer\tomcat\bin\services.bat install
  2. Configure the Classic UI for SSO using LDAP or LDAPS

    To configure the Classic UI for SSO using LDAP or LDAPS protocol:

    1. Log into the Classic UI as a user with Administrative privileges.
    2. Open the Feature Bar, open the Users and Group folder, and open the Users tab.
    3. Open the Utilities dropdown and select LDAP Configuration. The LDAP Properties Settings pop-up will appear. Although this window and its settings use the term "LDAP", they are used for LDAPS as well.
    4. Check the LDAP Enabled checkbox. This indicates that the user will be managed by LDAP or LDAPS.
    5. Select Microsoft Active Directory as the Provider.
    6. Do not change the Context. It will update automatically.
    7. In the Search Scope dropdown list, select SUBTREE_SCOPE.
    8. Enter the LDAP Server Host according to the protocol used:

      • For LDAP enter: <hostname>

      • For LDAPS enter: ldaps://<hostname>

    9. Enter the LDAP Server Port. This can be the server’s port or the default port for the protocol used.
    10. Enter the Search Base using standard LDAP terms.
    11. User Context Search Base (Optional) Enter the full domain name.
    12. In User Default Domain enter the short domain name.
    13. Click Save.
  3. Make sure that the Classic UI is functional by logging in.
  4. Configure the New UI for SSO using LDAP or LDAPS

    To configure EnterWorks for SSO using LDAP or LDAPS, on the server that hosts enable-api-go-service:

    1. To configure automatic provisioning, update shared configuration properties to set: 
      security.ldap.groupSync=true
    2. The create-scripts (create-<service-name>service.cmd) should exist in the following folder. If they do not, create the create-scripts. 
      <drive>:\Enterworks\enable2020\services\install
    3. Back up create-enable-api-go-service.cmd by copying it to: 
      <drive>:\Backup
      To facilitate troubleshooting, append the datetime to the end of the filename of the backup file.
    4. For both LDAP and LDAPS, edit create-enable-api-go-service.cmd:
      1. Open the appropriate script in an editor. The scripts are found in: 
        <install-drive>:\Enterworks\enable2020\services\install\
      2. Edit the ldapIndicator setting as desired.

        • ldapIndicator=2: (Recommended setting.) EnterWorks will only request that the IDP will authenticate users. When an existing EnterWorks user logs into EnterWorks, EnterWorks will confirm with the IDP that the user exists in the IDP's directory. If the user exists, EnterWorks will allow the user to log in.

        • ldapIndicator=1: (Default) Just In Time (JIT) provisioning (also known as Automatic provisioning). See Just In Time Provisioning.

        • ldapIndicator=0: (Default setting.) LDAP is not in use.

      3. If you are configuring LDAPS, set the ldapKeysPath parameter to indicate the location of the caCert.pem certificate file: 
        -ldapKeysPath=<drive>:\Enterworks\certs\ldaps
      4. Save the script.
    5. Use the create-enable-api-go-service.cmd script.
    6. Restart the enable-api-go-service service.

    EnterWorks is now configured to use SSO with LDAP or LDAPS.