Verify directory server certificates

To ensure that RBAC isn't being subjected to a Man-in-the Middle (MITM) attack, verify the directory server's certificate.

When you select SSL or StartTLS as the security protocol to use for communications between PE and your directory server, the connection to the directory is encrypted. To ensure that the directory service is properly identified, configure the ds-trust-chain to point to a copy of the public key for the directory service.

The RBAC service verifies directory server certificates using a trust store file, in Java Key Store (JKS), PEM, or PKCS12 format, that contains the chain of trust for the directory server's certificate. This file needs to exist on disk in a location that is readable by the user running the RBAC service.

To turn on verification:

  1. In the console, click Node groups.
  2. Open the PE Infrastructure node group and select the PE Console node group.
  3. Click Classes. Locate the puppet_enterprise::profile::console class.
  4. In the Parameter field, select rbac_ds_trust_chain.
  5. In the Value field, set the absolute path to the trust store file.
  6. Click Add parameter and commit changes.
  7. To make the change take effect, run Puppet. Running Puppet restarts pe-console services.
Results
After setting this value, the directory server's certificate is verified whenever RBAC is configured to connect to the directory server using SSL or StartTLS.