How to create a secure connection to AD from IDM when AD is the user store?
search cancel

How to create a secure connection to AD from IDM when AD is the user store?

book

Article ID: 22576

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

This Knowledge Document describes how to make a secure, SSL based, LDAP bind from Identity Manager to AD when AD is the user store and Siteminder is not in use.

 

Environment

Identity Manager 14.4 and 14.5

Resolution

 

Exporting the Microsoft Active Directory Certificate

To export the Microsoft Active Directory certificate:

  1. Click Start, Programs, Administrative Tools, and Certification Authority.

  2. Right-click the Certification Authority that you create, and then select Properties.

  3. On the General tab, click View Certificate.

  4. On the Details tab, click Copy To File.

  5. Use the wizard to create a certificate (.cer) file using base-64 encoding.

For any questions around generating the Active Directory Certificate, please reach out to your Active Directory admin team. 

 

Importing the Microsoft Active Directory Certificate into the Keystore for use the the Application Server hosting Identity Manager. 


The following utilizes the industry standard Java Keytool functionality.  For more details about using the Java Keytool please see the Oracle Keytool documentation:
https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html 

These steps are taken from the above link and written with JBoss as the underlying application server.  There are notes for the other Application Servers IDM supports inline. 
Questions around this should be submitted to your Application Server admin, and or the Certificate Authority team. 


To import the Microsoft Active Directory certificate into the certificate store of the Identity Manager server:

  1. Copy the Active Directory certificate to the Identity Manager server.

  2. Change to the directory where you copy the certificate file, and then enter a command similar to the following:
    (JAVA_HOME must be set correctly for this to work)

    keytool -import -alias alias -file cer_file -keystore my_cacerts -storepass password


    In this command:

    • alias is the alias for the certificate (for example, the server name)

    • cer_file is the full path and name of the certificate (.cer) file

    • my_cacerts is the full path and name of the certificate store (the default is cacerts)

      The path of the certificate store depends on the application server as shown in the following table.

      Application Server Certificate Store Location
      JBoss Application Server JAVA_HOME \jre\lib\security\cacerts
      BEA WebLogic BEA_HOME \java\jre\lib\security\cacerts
      IBM WebSphere WS_HOME \java\jre\lib\security\cacerts WS_HOME \etc\DummyServerTrustFile.jks


      Note:

      For IBM WebSphere, you must also copy the jnet.jar, jsee.jar, jcert.jar files to the WS_HOME\java\jre\lib\ext directory.

    • password is the keystore password (the default is changeit)

      For example:

      keytool -import -alias ADCert -file c:\certs\ActiveDir.cer -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit

      Note:

      Changeit is the default password for the cacerts file stored in the Sun JVM. This may change depending on the JVM that you are using.


  3. In the command prompt window, when you are prompted to specify whether or not you want to trust this certificate, enter YES.


  4. To confirm whether or not the certificate has been imported successfully, enter a command similar to the following:

    keytool -list -alias alias -keystore mycacerts -storepass password

    In the example given in Step 2, to confirm that the certificate has been successfully imported, use the following command and look for the certificate name, ADCert,that you provide while importing the certificate into the keystore:

    keytool -list -alias ADCert -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit


  5. Perform this step only if you are registering the certificate file in a new certificate store.

    Add the following line in the jre\lib\security\java.security file:

    security.provider.N=com.sun.net.ssl.internal.ssl.Provider

    In this line, N is a number that is not in use in the file.


  6. Restart JBoss

    At this point you are ready to create the user directory in idmmanage by file/wizard and click on the checkbox for a secure connection.

 

 

For Virtual Appliance (VAPP) deployments.

The process is essentially the same,  Use "keytool" to add certificates for external components or applications.  

The path to the cacerts file for14.4, and 14.5
          /opt/CA/openjdk1.8/jre/lib/security/cacerts

The vApp's Java keystore has write privileges for user config.






Additional Information

For Virtual Appliance

Powered by Wolken Software