Symantec Identity Manager - How to setup inbound notifications to use SSL connection in Identity Manager vApp
search cancel

Symantec Identity Manager - How to setup inbound notifications to use SSL connection in Identity Manager vApp


Article ID: 204213


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


When trying to setup SSL connection for inbound notifications in vApp (i.e. from Provisioning Server to Identity Manager server) user get various errors:

[rc=60] SSL certificate problem: unable to get issuer certificate


[rc=77] error setting certificate verify locations


ERROR: There was an error in Decrypting the inbound payload from the provisioning server. This could be due to mismatched shared secrets.

How to setup SSL connection?


Release : 14.3/14.4

Component : IdentityMinder(Identity Manager)


Here is the process to setup SSL connection for inbound notifications:

  1. Get the certificate chain. Simple method would be to use the following command:

    openssl s_client -showcerts -verify 5 -connect <IP>:<port> < /dev/null
    In vApp port 8443 is used for inbound notifications.
    The command will return all the certificates in the chain in PEM format, starting with the root certificate.

  2. Put all the certificates returned by the above command to a file.
    This should be done using imps user, because it it the user under which the Provisioning Server runs in vApp.
    Put everything from
    -----END CERTIFICATE-----
    into the file. There may be a few certificates, just append each of them.

  3. Using Provisioning Manager add full path of the above created file to System > Domain Configuration > Identity Manager Server > Trusted CA Bundle

  4. Shared secret is set to some random string during vApp deployment. This string is unknown. Change the shared secret:

  5. Logon into vApp using 'config' user

    cd /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/PasswordTool

    ./ -JSAFE -p <New shared secret in clear>

    For instance:
     > ./ -JSAFE -p SharedSecret
    Your JAVA_HOME is currently set to /opt/CA/jdk1.8.0_71/
    Encrypting your password ...
    Plain Text: SharedSecret
    Encrypted value: {PBES}:Mx1ePmKUIZcBvJf11FV+vw==

  6. Replace the IMeTASharedSecret value in the /opt/CA/wildfly-idm/standalone/deployments/iam_im.ear/custom/identitymanager/ file with the encrypted value from pwdtools utility, for example:


  7. Restart IM server and PS server:

  8. Using IMPM set shared secret and IM server URL, in System > Identity Manager Setup
    When adding a host name ensure that it matches the subject in the certificate