Symantec Identity Manager - How to setup inbound notifications to use SSL connection in Identity Manager vApp
search cancel

Symantec Identity Manager - How to setup inbound notifications to use SSL connection in Identity Manager vApp

book

Article ID: 204213

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

When trying to setup SSL connection for inbound notifications in vApp (i.e. from Provisioning Server to Identity Manager server) user get various errors:

[rc=60] SSL certificate problem: unable to get issuer certificate

or

[rc=77] error setting certificate verify locations

or

ERROR: There was an error in Decrypting the inbound payload from the provisioning server. This could be due to mismatched shared secrets.

How to setup SSL connection?

Environment

Release : 14.3/14.4

Component : IdentityMinder(Identity Manager)

Resolution

Here is the process to setup SSL connection for inbound notifications:

  1. Get the certificate chain. Simple method would be to use the following command:

    openssl s_client -showcerts -verify 5 -connect <IP>:<port> < /dev/null
    In vApp port 8443 is used for inbound notifications.
    The command will return all the certificates in the chain in PEM format, starting with the root certificate.

  2. Put all the certificates returned by the above command to a file.
    This should be done using imps user, because it it the user under which the Provisioning Server runs in vApp.
    Put everything from
    -----BEGIN CERTIFICATE-----
    to
    -----END CERTIFICATE-----
    into the file. There may be a few certificates, just append each of them.

  3. Using Provisioning Manager add full path of the above created file to System > Domain Configuration > Identity Manager Server > Trusted CA Bundle



  4. Shared secret is set to some random string during vApp deployment. This string is unknown. Change the shared secret:

  5. Logon into vApp using 'config' user

    cd /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/PasswordTool

    ./pwdtools.sh -JSAFE -p <New shared secret in clear>

    For instance:
     > ./pwdtools.sh -JSAFE -p SharedSecret
    --------------------------------------------------
    Your JAVA_HOME is currently set to /opt/CA/jdk1.8.0_71/
    --------------------------------------------------
    Encrypting your password ...
    ******************************************
    Plain Text: SharedSecret
    Encrypted value: {PBES}:Mx1ePmKUIZcBvJf11FV+vw==
    ******************************************
     >

  6. Replace the IMeTASharedSecret value in the /opt/CA/wildfly-idm/standalone/deployments/iam_im.ear/custom/identitymanager/systemWideProperties.properties file with the encrypted value from pwdtools utility, for example:

    IMeTASharedSecret={PBES}:Mx1ePmKUIZcBvJf11FV+vw==

  7. Restart IM server and PS server:

    restart_im
    restart_ps
  8. Using IMPM set shared secret and IM server URL, in System > Identity Manager Setup
    When adding a host name ensure that it matches the subject in the certificate

 

Powered by Wolken Software