In the Identity Manager Management Console you configure the IM Directory objects. When configuring a directory object to point to the Provisioning Server you can configure it to use non-SSL to port 20389 or SSL to port 20390 but if using an SSL connection additional steps are needed to be done in order for the Provisioning Server certificate to be available.

What steps are needed in order for IM to have the Provisioning Server certificate in place if configuring an IM Directory object with SSL to the Provisioning Server on port 20390?

Step 1 - Retrieving the Provisioning Server Certificate

First you need to retrieve the Provisioning Server certificate. You can do this by using an ldapbrowser like Jxplorer to establish a connection to the Provisioning Server host on port 20390 using SSL+User+Password security level.

The BindDN to use would be "eTGlobalUserName=BIND_USER,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=PROV_DOMAIN,dc=eta" where BIND_USER is the ID used to log into the Provisioning Manager and PROV_DOMAIN would likely be "im" by default.

If Jxplorer has not previously saved the Provisioning Server certificate you will get a pop-up window "Server CA Certificate missing" which will allow you to click the "View Certificate" button after which you can click on the Details tab of the new Certificate pop-up window and then click the "Copy To File" button in order to save the Provisioning Server certificate to a file such as ProvServerCert.der to be used in steps later.

If Jxplorer connects without the above mentioned pop-up window then it means the Provisioning Server certificate was already imported into the Jxplorer keystore and you can retrieve it by selecting "Security->Trusted Servers and CAs" along the top menu bar. In the new popup window "Manage Your Trusted Server Certificates" you would select the certificate called "ou=provisioning services,o=identity management,l=islandia,st=ny,c=us" and click the "View Certificate" button after which you can click on the Details tab of the new Certificate pop-up window and then click the "Copy To File" button in order to save the Provisioning Server certificate to a file such as ProvServerCert.der to be used in steps later.

Step 2 - Importing the Provisioning Server Certificate into the IM Application Server's JRE keystore

The JRE used by the application server running Identity Manager would need to have the Provisioning Server's certificate placed into it's keystore. You would first need to determine the JRE beind used by that application server and then look under the jre\lib\security for the cacerts which is the keystore. You would use the Java command called keytool to import the Provisioning Server certificate with a command such as the below and when prompted for the keystore password enter "changeit" which is the default password for the keystore:

keytool.exe -keystore <location of the jre\lib\security\cacerts> -import -file <location of the ProvServerCert.der> -trustcacerts -alias CAIMProvSrv

You can now restart the IM Application Server (i.e. JBoss/Wildfly, WebSphere, Weblogic) and use the IM Management Console to create the IM Directory object for the Provisioning Server using SSL and port 20390.